Update policy

This patch set updates the k8s-keystone-auth policy. Change-Id: Ia08d393f363ecb49007dc4d4801c61e569b89981 Signed-off-by: Tin Lam <tin@irrational.io>
2018-05-20 13:11:46 -05:00 · 2018-05-20 13:11:46 -05:00 · 91fa516951
commit 91fa516951
parent 19f92a9393
2 changed files with 73 additions and 13 deletions
--- a/kubernetes-keystone-webhook/values.yaml
+++ b/kubernetes-keystone-webhook/values.yaml
@ -86,19 +86,52 @@ release_group: null

 conf:
  policy:
+    - resource:
+        verbs:
+          - "*"
+        resources:
+          - "*"
+        namespace: "*"
+        version: "*"
+      match:
+        - type: role
+          values:
+            - admin
+    - resource:
+        verbs:
+          - "*"
+        resources:
+          - "*"
+        namespace: "kube-system"
+        version: "*"
+      match:
+        - type: role
+          values:
+            - kube-system-admin
    - resource:
        verbs:
          - get
          - list
          - watch
        resources:
-          - pods
-        namespace: openstack
+          - "*"
+        namespace: "kube-system"
        version: "*"
      match:
-        - type: user
+        - type: role
          values:
-            - admin
+            - kube-system-viewer
+    - resource:
+        verbs:
+          - "*"
+        resources:
+          - "*"
+        namespace: "openstack"
+        version: "*"
+      match:
+        - type: project
+          values:
+            - openstack-system

 secrets:
  identity:
--- a/tools/deployment/keystone-auth/check.sh
+++ b/tools/deployment/keystone-auth/check.sh
@ -24,24 +24,51 @@ sudo cp -va $HOME/.kube/config /tmp/kubeconfig.yaml
 sudo kubectl --kubeconfig /tmp/kubeconfig.yaml config unset users.kubernetes-admin

 # Test
-if ! kubectl --kubeconfig /tmp/kubeconfig.yaml --token "$(keystone_token)" get pods ; then
-  echo "Denied, as expected by policy"
-else
-  exit 1
-fi
-kubectl --kubeconfig /tmp/kubeconfig.yaml --token "$(keystone_token)" get pods -n openstack
+# This issues token with admin role
+TOKEN=$(keystone_token)
+kubectl --kubeconfig /tmp/kubeconfig.yaml --token $TOKEN get pods
+kubectl --kubeconfig /tmp/kubeconfig.yaml --token $TOKEN get pods -n openstack
+kubectl --kubeconfig /tmp/kubeconfig.yaml --token $TOKEN get secrets -n openstack

-# create a demoUser
+# create users
 openstack user create --or-show --password demoPassword demoUser
+openstack user create --or-show --password demoPassword kube-system-admin
+
+# create project
+openstack project create --or-show openstack-system
+openstack project create --or-show demoProject
+
+# create roles
+openstack role create --or-show openstackRole
+openstack role create --or-show kube-system-admin
+
+# assign user role to project
+openstack role add --project openstack-system --user demoUser --project-domain default --user-domain default openstackRole
+openstack role add --project demoProject --user kube-system-admin --project-domain default --user-domain default kube-system-admin
+
 unset OS_CLOUD
 export OS_AUTH_URL="http://keystone.openstack.svc.cluster.local/v3"
 export OS_IDENTITY_API_VERSION="3"
+export OS_PROJECT_NAME="openstack-system"
 export OS_PASSWORD="demoPassword"
 export OS_USERNAME="demoUser"

 # See this does fail as the policy does not allow for a non-admin user
-TOKEN=$(openstack token issue -f value -c id)
-if ! kubectl --kubeconfig /tmp/kubeconfig.yaml --token "$(keystone_token)" get pods -n openstack ; then
+
+# Issue a member user token
+TOKEN=$(keystone_token)
+kubectl --kubeconfig /tmp/kubeconfig.yaml --token $TOKEN get ingress -n openstack
+if ! kubectl --kubeconfig /tmp/kubeconfig.yaml --token $TOKEN get pods ; then
+  echo "Denied, as expected by policy"
+else
+  exit 1
+fi
+
+export OS_USERNAME="kube-system-admin"
+export OS_PROJECT_NAME="demoProject"
+TOKEN=$(keystone_token)
+kubectl --kubeconfig /tmp/kubeconfig.yaml --token $TOKEN get ingress -n kube-system
+if ! kubectl --kubeconfig /tmp/kubeconfig.yaml --token $TOKEN get pods -n openstack ; then
  echo "Denied, as expected by policy"
 else
  exit 1