Skip to content

redhat-cop/dynamic-rbac-operator

Repository files navigation


Dynamic RBAC Operator

Flexible definitions of Kubernetes RBAC rules

Table of Contents

About The Project

Writing Kubernetes RBAC definitions by hand can be a pain. This operator allows you to define "Dynamic" RBAC rules that change based on the state of your cluster, so you can spend your time writing the RBAC patterns that you'd like to deploy, rather than traditional, fully enumerated RBAC rules.

Built With

Getting Started

Installation

This operator can be installed with Kustomize:

kustomize build config/default | oc apply -f -

Usage

Once the operator is installed, you can begin using DynamicRole and DynamicClusterRole resources within your cluster.

For example, the following DynamicClusterRole inherits all rules from cluster-admin, except the user.openshift.io group, and only allows access to pods in the metrics.k8s.io group:

apiVersion: rbac.redhatcop.redhat.io/v1alpha1
kind: DynamicClusterRole
metadata:
  name: admin-without-users
spec:
  inherit:
    - name: cluster-admin
      kind: ClusterRole
  deny:
    - apiGroups:
        - "user.openshift.io"
      resources:
        - "*"
      verbs:
        - "*"
    - apiGroups:
        - "metrics.k8s.io"
      resources:
        - "*"
      verbs:
        - "*"
  allow:
    - apiGroups:
        - "metrics.k8s.io"
      resources:
        - "pods"
      verbs:
        - "*"

will cause the operator to use the cluster's resource discovery API to enumerate all of the individual permissions of the cluster-admin user, and then remove access to user.openshift.io/users resources.

You can then create a RoleBinding or ClusterRoleBinding to admin-without-users (as a ClusterRole) as normal, and permissions will work as expected!

Roadmap

See the open issues for a list of proposed features.

Contributing

Contributions are what make the open source community such an amazing place to be learn, inspire, and create. Any contributions you make are greatly appreciated.

  1. Fork the Project
  2. Create your Feature Branch (git checkout -b feature/AmazingFeature)
  3. Commit your Changes (git commit -m 'Add some AmazingFeature')
  4. Push to the Branch (git push origin feature/AmazingFeature)
  5. Open a Pull Request

License

Distributed under the Apache License 2.0. See LICENSE for more information.

Contact

Project Link: https://github.com/redhat-cop/dynamic-rbac-operator