Stefan Büringer sbueringer
sbueringer
/ blog-opa-perf-mutating-webhook.yaml
Created
February 18, 2019 20:37
blog-opa-perf-mutating-webhook.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| kind: MutatingWebhookConfiguration | |
| apiVersion: admissionregistration.k8s.io/v1beta1 | |
| metadata: | |
| name: opa | |
| webhooks: | |
| - name: opa.k8s.io | |
| rules: | |
| - operations: ["*"] | |
| apiGroups: ["*"] | |
| apiVersions: ["*"] |
sbueringer
/ blog-opa-example2-test.rego.rb
Last active
June 23, 2019 17:26
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package authorization | |
| test_deny_update_storageclass_ceph { | |
| deny[{"id": id, "resource": {"kind": "storageclasses", "namespace": "", "name": "ceph"}, "resolution": resolution}] with data.kubernetes.storageclasses[""].ceph as { | |
| "kind": "SubjectAccessReview", | |
| "apiVersion": "authorization.k8s.io/v1beta1", | |
| "spec": { | |
| "resourceAttributes": { | |
| "verb": "update", | |
| "version": "v1", |
sbueringer
/ blog-opa-example2.rego.rb
Last active
January 11, 2019 18:25
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package authorization | |
| import data.k8s.matches | |
| deny[{ | |
| "id": "storageclasses", | |
| "resource": { | |
| "kind": kind, | |
| "namespace": namespace, | |
| "name": name, |
sbueringer
/ blog-opa-example2-cr.yaml
Created
January 9, 2019 18:20
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| kind: ClusterRole | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| metadata: | |
| name: storageclasses | |
| rules: | |
| - apiGroups: ["storage.k8s.io"] | |
| resources: ["storageclasses"] | |
| verbs: ["create", "update", "delete"] | |
| --- | |
| kind: ClusterRoleBinding |
sbueringer
/ blog-opa-example1.rego.rb
Last active
January 11, 2019 18:25
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package authorization | |
| import data.k8s.matches | |
| deny[{ | |
| "id": "pods-kube-system", | |
| "resource": { | |
| "kind": kind, | |
| "namespace": namespace, | |
| "name": name, |
sbueringer
/ blog-opa-example1-cr.yaml
Last active
January 9, 2019 18:17
Kubernetes Authorization via Open Policy Agent
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| kind: ClusterRole | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| metadata: | |
| name: pods | |
| rules: | |
| - apiGroups: [""] | |
| resources: ["pods"] | |
| verbs: ["create", "update", "delete"] | |
| --- | |
| kind: ClusterRoleBinding |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### Keybase proof | |
| I hereby claim: | |
| * I am sbueringer on github. | |
| * I am sbueringer (https://keybase.io/sbueringer) on keybase. | |
| * I have a public key ASAWSdGxI8N0MxlfOX24-1xkB1cWlaPyituzWA-0S9cX5Ao | |
| To claim this, I am signing this object: |
sbueringer
/ vagrant log
Created
October 20, 2017 16:33
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| PS C:\Windows\system32> vagrant | |
| INFO global: Vagrant version: 2.0.0 | |
| INFO global: Ruby version: 2.3.4 | |
| INFO global: RubyGems version: 2.5.2.1 | |
| INFO global: VAGRANT_EXECUTABLE="C:\\HashiCorp\\Vagrant\\embedded\\gems\\gems\\vagrant-2.0.0\\bin\\vagrant" | |
| INFO global: VAGRANT_INSTALLER_EMBEDDED_DIR="C:\\HashiCorp\\Vagrant\\embedded" | |
| INFO global: VAGRANT_INSTALLER_ENV="1" | |
| INFO global: VAGRANT_INSTALLER_VERSION="2" | |
| INFO global: VAGRANT_LOG="info" | |
| INFO global: VAGRANT_OLD_ENV_="Q:=Q:\\" |
sbueringer
/ SecurityConfig.kt
Created
September 30, 2017 09:22
Kotlin magic for Spring Security Config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // With a little bit of Kotlin magic | |
| class WebSecurityConfig(val jwtValidator: JWTValidator) : WebSecurityConfigurerAdapter() { | |
| override fun configure(http: HttpSecurity) = http { | |
| matchRequests { !EndpointRequest.toAnyEndpoint() } | |
| disable { csrf() } | |
| disable { cors() } | |
| authorizeRequests { | |
| authenticate { anyRequest() } | |
| } | |
| addFilterBefore(JWTFilter(jwtValidator), UsernamePasswordAuthenticationFilter::class.java) |
NewerOlder