Last active
December 5, 2017 14:18
-
-
Save kgilpin/d2678650f9f3052ab3d243d8d80d989f to your computer and use it in GitHub Desktop.
authn-k8s
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - !policy | |
| id: conjur/authn-k8s/minikube/default | |
| owner: !group /k8s_admin | |
| body: | |
| - !webservice | |
| annotations: | |
| kubernetes/namespace: default | |
| - !host client | |
| - !permit | |
| resource: !webservice | |
| privilege: [ read, execute ] | |
| roles: | |
| - !host client | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - !policy | |
| id: conjur/authn-k8s/minikube/default | |
| owner: !group /k8s_admin | |
| body: | |
| - !policy | |
| id: apps | |
| annotations: | |
| description: Apps and services in Kubernetes "default" namespace. | |
| body: | |
| - &hosts | |
| - !host webapp | |
| # Make these hosts visible to the devops group, so that they can add to their layers. | |
| - !permit | |
| resources: *hosts | |
| privilege: read | |
| roles: !group /devops | |
| - !permit | |
| resources: *hosts | |
| privilege: [ read, authenticate ] | |
| roles: | |
| - !host /conjur/authn-k8s/minikube/default/client | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash -e | |
| conjur policy load \ | |
| https://gist.githubusercontent.com/kgilpin/d2678650f9f3052ab3d243d8d80d989f/raw/users.yml | |
| admin_api_key=$(conjur user rotate_api_key) | |
| # ted is k8s_admin | |
| ted_api_key=$(conjur user rotate_api_key -u ted) | |
| # bob is devops | |
| bob_api_key=$(conjur user rotate_api_key -u bob) | |
| # alice is db_admin | |
| alice_api_key=$(conjur user rotate_api_key -u alice) | |
| conjur authn logout | |
| export CONJUR_AUTHN_LOGIN=ted | |
| export CONJUR_AUTHN_API_KEY=$ted_api_key | |
| conjur policy load \ | |
| https://gist.githubusercontent.com/kgilpin/d2678650f9f3052ab3d243d8d80d989f/raw/authn_k8s.yml | |
| conjur policy load \ | |
| https://gist.githubusercontent.com/kgilpin/d2678650f9f3052ab3d243d8d80d989f/raw/k8s_apps.yml | |
| export CONJUR_AUTHN_LOGIN=bob | |
| export CONJUR_AUTHN_API_KEY=$bob_api_key | |
| conjur policy load \ | |
| https://gist.githubusercontent.com/kgilpin/d2678650f9f3052ab3d243d8d80d989f/raw/webapp.yml | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - !group k8s_admin | |
| - !group devops | |
| - !group db_admin | |
| - !user ted | |
| - !grant | |
| role: !group k8s_admin | |
| member: !user ted | |
| - !user bob | |
| - !grant | |
| role: !group devops | |
| member: !user bob | |
| - !user alice | |
| - !grant | |
| role: !group db_admin | |
| member: !user alice | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - !policy | |
| id: webapp | |
| owner: !group /devops | |
| body: | |
| - !layer | |
| - !grant | |
| role: !layer | |
| members: | |
| - !host /conjur/authn-k8s/minikube/default/apps/webapp | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Could you please point me where I can get intervention.sh script? ;)