Last active
May 9, 2019 20:56
-
-
Save infamousjoeg/4a3d102f3b84cb051928fafc715f564f to your computer and use it in GitHub Desktop.
Clean Example of Authn-K8s Policy for CyberArk DAP & Conjur Open Source
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - !policy | |
| id: conjur/authn-k8s/conjur-follower | |
| #Subpolicy to define all things required for OpenShift Authentication | |
| body: | |
| - !webservice | |
| annotations: | |
| description: Authentication service definition for follower namespace | |
| - !policy #policy definition for CA - used as part of authenticator | |
| id: ca | |
| body: | |
| - !variable | |
| id: cert | |
| annotations: | |
| description: CA Cert for OpenShift Pods | |
| - !variable | |
| id: key | |
| annotations: | |
| description: Corresponding CA key for OpenShift Pod Cert | |
| - !policy | |
| id: apps | |
| annotations: | |
| description: Apps policy - all hosts must be members for OpenShift auth | |
| body: | |
| - !layer #creating "group of applications" for ease of provisioning | |
| - &PetShelterAppHosts | |
| - !host | |
| id: secure-pet-shelter/*/* | |
| annotations: | |
| kubernetes/authentication-container-name: authenticator | |
| openshift: true | |
| - &Go-AppHosts | |
| - !host | |
| id: go-app/*/* | |
| annotations: | |
| kubernetes/authentication-container-name: authenticator | |
| openshift: true | |
| - !grant | |
| role: !layer | |
| members: *PetShelterAppHosts | |
| - !grant | |
| role: !layer | |
| members: *Go-AppHosts | |
| - !permit | |
| resource: !webservice | |
| privileges: [ read, authenticate ] | |
| role: !layer /conjur/authn-k8s/conjur-follower/apps |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment