[MediaWiki-commits] [Gerrit] k8s: Switch to new format for ABAC - change (operations/puppet)

Mon, 04 Apr 2016 21:06:57 -0700 

Yuvipanda has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/281591

Change subject: k8s: Switch to new format for ABAC
......................................................................

k8s: Switch to new format for ABAC

Also remove unused service account

Bug: T130972

Change-Id: If7d38bfdf0d182b2e3100c7ba61720c6ab3ba4f6
---
M modules/k8s/templates/abac.json.erb
1 file changed, 4 insertions(+), 5 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/91/281591/1

diff --git a/modules/k8s/templates/abac.json.erb 
b/modules/k8s/templates/abac.json.erb
index 63315c3..3cf7953 100644
--- a/modules/k8s/templates/abac.json.erb
+++ b/modules/k8s/templates/abac.json.erb
@@ -1,14 +1,13 @@
-{"readonly": true, "resource": "swaggerapi"}
-{"readonly": true, "nonResourcePath": "/api"}
-{"user": "system:serviceaccount:kube-system:default", "readonly": true}
+{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", 
"spec": {"user":"*", "nonResourcePath": "*", "readonly": true}}
 <%- @users.each do |user| -%>
 <%- if user['type'] == 'namespaced' -%>
 <%- @namespace_allowed_resources.each do |resource| -%>
-{"user": "<%= user['name'] %>", "namespace": "<%= user['name'] %>", 
"resource": "<%= resource %>"}
+{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", 
"spec": {"user":"user['name']", "namespace": "user['name']", "resource": "<%= 
resource %>", "apiGroup": "*" }}
 <%- end -%>
 <%- elsif user['type'] == 'infrastructure' or user['type'] == 'admin' -%>
+{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", 
"spec": {"user":"<%= user['name'] %>", "namespace": "*", "resource": "*", 
"apiGroup": "*" }}
 {"user": "<%= user['name'] %>"}
 <%- elsif user['type'] == 'infrastructure-readonly' -%>
-{"user": "<%= user['name'] %>", "readonly": true}
+{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", 
"spec": {"user":"<%= user['name'] %>", "namespace": "*", "resource": "*", 
"apiGroup": "*", "readonly": true }}
 <%- end -%>
 <%- end -%>

-- 
To view, visit https://gerrit.wikimedia.org/r/281591
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: If7d38bfdf0d182b2e3100c7ba61720c6ab3ba4f6
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Yuvipanda <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to