Merge pull request #25 from appuio/feat/user-rbac

Add user RBAC to default config
appuio · Jan 31, 2022 · 86b152d · 86b152d
2 parents d0458e7 + fb312c6
commit 86b152d
Show file tree

Hide file tree

Showing 8 changed files with 61 additions and 1 deletion.
diff --git a/config/deployment/deployment.yaml b/config/deployment/deployment.yaml
@@ -26,6 +26,8 @@ spec:
         - "--cert-dir=/apiserver.local.config/certificates"
         - "--secure-port=9443"
         - "--feature-gates=APIPriorityAndFairness=false"
+        - "--cluster-roles=control-api:organization-viewer,control-api:organization-admin"
+        - "--username-prefix=appuio#"
         volumeMounts:
         - name: apiserver-certs
           mountPath: /apiserver.local.config/certificates

diff --git a/config/user-rbac/basic-user-role.yml b/config/user-rbac/basic-user-role.yml
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: control-api:basic-user
+rules:
+- apiGroups: ["organization.appuio.io"] 
+  resources: ["organizations"]
+  verbs: ["get", "watch", "list", "patch", "edit", "create"]
+- apiGroups: ["rbac.appuio.io"] 
+  resources: ["organizations"]
+  verbs: ["watch", "list", "create"]
+- apiGroups: ["appuio.io"] 
+  resources: ["zones"]
+  verbs: ["get", "watch", "list"]
diff --git a/config/user-rbac/basic-user-rolebinding.yml b/config/user-rbac/basic-user-rolebinding.yml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: control-api:basic-user
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: control-api:basic-user
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: system:authenticated
diff --git a/config/user-rbac/kustomization.yaml b/config/user-rbac/kustomization.yaml
@@ -0,0 +1,5 @@
+resources:
+- basic-user-rolebinding.yml
+- basic-user-role.yml
+- organization-admin-role.yml
+- organization-viewer-role.yml
diff --git a/config/user-rbac/organization-admin-role.yml b/config/user-rbac/organization-admin-role.yml
@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: control-api:organization-admin
+rules:
+- apiGroups: ["rbac.appuio.io"] 
+  resources: ["organizations"]
+  verbs: ["get", "watch", "list", "patch", "edit", "create"]
+- apiGroups: ["appuio.io"] 
+  resources: ["organizationmembers"]
+  verbs: ["get", "watch", "list", "patch", "edit", "create"]
diff --git a/config/user-rbac/organization-viewer-role.yml b/config/user-rbac/organization-viewer-role.yml
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: control-api:organization-viewer
+rules:
+- apiGroups: ["rbac.appuio.io"] 
+  resources: ["organizations"]
+  verbs: ["get", "watch", "list"]
+- apiGroups: ["appuio.io"] 
+  resources: ["organizationmembers"]
+  verbs: ["get", "watch", "list"]
+- apiGroups: ["rbac.authorization.k8s.io"]
+  resources: ["rolebindings"]
+  verbs: ["get", "watch", "list"]
diff --git a/local-env/setup-kind.sh b/local-env/setup-kind.sh
@@ -87,6 +87,7 @@ kubectl config set-credentials oidc-user \
 kubectl config set-context --current --user=oidc-user
 kubectl apply -k "${script_dir}/../config/crd/apiextensions.k8s.io/v1"
 kubectl apply -k "${script_dir}/../config/deployment"
+kubectl apply -k "${script_dir}/../config/user-rbac"
 
 echo =======
 echo "Setup finished. To interact with the local dev cluster, set the KUBECONFIG environment variable as follows:"

diff --git a/local-env/templates/kind-oidc.yaml.tpl b/local-env/templates/kind-oidc.yaml.tpl
@@ -9,5 +9,6 @@ nodes:
         extraArgs:
           oidc-issuer-url: ISSUER_KEYCLOAK/auth/realms/REALM
           oidc-client-id: local-dev
-          oidc-username-claim: email
+          oidc-username-claim: preferred_username
+          oidc-username-prefix: "appuio#"
           oidc-groups-claim: groups