Skip to content

Instantly share code, notes, and snippets.

@sbueringer
sbueringer / SecurityConfig.kt
Created September 30, 2017 09:22
Kotlin magic for Spring Security Config
// With a little bit of Kotlin magic
class WebSecurityConfig(val jwtValidator: JWTValidator) : WebSecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity) = http {
matchRequests { !EndpointRequest.toAnyEndpoint() }
disable { csrf() }
disable { cors() }
authorizeRequests {
authenticate { anyRequest() }
}
addFilterBefore(JWTFilter(jwtValidator), UsernamePasswordAuthenticationFilter::class.java)
PS C:\Windows\system32> vagrant
INFO global: Vagrant version: 2.0.0
INFO global: Ruby version: 2.3.4
INFO global: RubyGems version: 2.5.2.1
INFO global: VAGRANT_EXECUTABLE="C:\\HashiCorp\\Vagrant\\embedded\\gems\\gems\\vagrant-2.0.0\\bin\\vagrant"
INFO global: VAGRANT_INSTALLER_EMBEDDED_DIR="C:\\HashiCorp\\Vagrant\\embedded"
INFO global: VAGRANT_INSTALLER_ENV="1"
INFO global: VAGRANT_INSTALLER_VERSION="2"
INFO global: VAGRANT_LOG="info"
INFO global: VAGRANT_OLD_ENV_="Q:=Q:\\"
### Keybase proof
I hereby claim:
* I am sbueringer on github.
* I am sbueringer (https://keybase.io/sbueringer) on keybase.
* I have a public key ASAWSdGxI8N0MxlfOX24-1xkB1cWlaPyituzWA-0S9cX5Ao
To claim this, I am signing this object:
@sbueringer
sbueringer / blog-opa-example1-cr.yaml
Last active January 9, 2019 18:17
Kubernetes Authorization via Open Policy Agent
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: pods
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["create", "update", "delete"]
---
kind: ClusterRoleBinding
package authorization
import data.k8s.matches
deny[{
"id": "pods-kube-system",
"resource": {
"kind": kind,
"namespace": namespace,
"name": name,
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: storageclasses
rules:
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["create", "update", "delete"]
---
kind: ClusterRoleBinding
package authorization
import data.k8s.matches
deny[{
"id": "storageclasses",
"resource": {
"kind": kind,
"namespace": namespace,
"name": name,
package authorization
test_deny_update_storageclass_ceph {
deny[{"id": id, "resource": {"kind": "storageclasses", "namespace": "", "name": "ceph"}, "resolution": resolution}] with data.kubernetes.storageclasses[""].ceph as {
"kind": "SubjectAccessReview",
"apiVersion": "authorization.k8s.io/v1beta1",
"spec": {
"resourceAttributes": {
"verb": "update",
"version": "v1",
@sbueringer
sbueringer / blog-opa-perf-mutating-webhook.yaml
Created February 18, 2019 20:37
blog-opa-perf-mutating-webhook.yaml
kind: MutatingWebhookConfiguration
apiVersion: admissionregistration.k8s.io/v1beta1
metadata:
name: opa
webhooks:
- name: opa.k8s.io
rules:
- operations: ["*"]
apiGroups: ["*"]
apiVersions: ["*"]
@sbueringer
sbueringer / blog-opa-perf-mutating-webhook-optimized.yaml
Created February 18, 2019 20:39
blog-opa-perf-mutating-webhook-optimized.yaml
kind: MutatingWebhookConfiguration
apiVersion: admissionregistration.k8s.io/v1beta1
metadata:
name: opa
webhooks:
- name: opa.k8s.io
rules:
- operations:
- CREATE
- UPDATE