Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
authn-k8s
- !policy
id: conjur/authn-k8s/minikube/default
owner: !group /k8s_admin
body:
- !webservice
annotations:
kubernetes/namespace: default
- !host client
- !permit
resource: !webservice
privilege: [ read, execute ]
roles:
- !host client
- !policy
id: conjur/authn-k8s/minikube/default
owner: !group /k8s_admin
body:
- !policy
id: apps
annotations:
description: Apps and services in Kubernetes "default" namespace.
body:
- &hosts
- !host webapp
# Make these hosts visible to the devops group, so that they can add to their layers.
- !permit
resources: *hosts
privilege: read
roles: !group /devops
- !permit
resources: *hosts
privilege: [ read, authenticate ]
roles:
- !host /conjur/authn-k8s/minikube/default/client
#!/bin/bash -e
conjur policy load \
https://gist.githubusercontent.com/kgilpin/d2678650f9f3052ab3d243d8d80d989f/raw/users.yml
admin_api_key=$(conjur user rotate_api_key)
# ted is k8s_admin
ted_api_key=$(conjur user rotate_api_key -u ted)
# bob is devops
bob_api_key=$(conjur user rotate_api_key -u bob)
# alice is db_admin
alice_api_key=$(conjur user rotate_api_key -u alice)
conjur authn logout
export CONJUR_AUTHN_LOGIN=ted
export CONJUR_AUTHN_API_KEY=$ted_api_key
conjur policy load \
https://gist.githubusercontent.com/kgilpin/d2678650f9f3052ab3d243d8d80d989f/raw/authn_k8s.yml
conjur policy load \
https://gist.githubusercontent.com/kgilpin/d2678650f9f3052ab3d243d8d80d989f/raw/k8s_apps.yml
export CONJUR_AUTHN_LOGIN=bob
export CONJUR_AUTHN_API_KEY=$bob_api_key
conjur policy load \
https://gist.githubusercontent.com/kgilpin/d2678650f9f3052ab3d243d8d80d989f/raw/webapp.yml
- !group k8s_admin
- !group devops
- !group db_admin
- !user ted
- !grant
role: !group k8s_admin
member: !user ted
- !user bob
- !grant
role: !group devops
member: !user bob
- !user alice
- !grant
role: !group db_admin
member: !user alice
- !policy
id: webapp
owner: !group /devops
body:
- !layer
- !grant
role: !layer
members:
- !host /conjur/authn-k8s/minikube/default/apps/webapp
@avoidik

This comment has been minimized.

Copy link

avoidik commented Dec 5, 2017

Could you please point me where I can get intervention.sh script? ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.