-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathkubernetes-authz.yaml
174 lines (174 loc) · 3.7 KB
/
kubernetes-authz.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
apiVersion: authorino.kuadrant.io/v1beta1
kind: AuthConfig
metadata:
name: talker-api-protection
spec:
hosts:
- talker-api.127.0.0.1.nip.io
identity:
- name: service-accounts
kubernetes:
audiences:
- talker-api
extendedProperties:
- name: username
valueFrom:
authJSON: auth.identity.sub
- name: api-key-users
apiKey:
selector:
matchLabels:
audiences: talker-api
extendedProperties:
- name: username
valueFrom:
authJSON: auth.identity.metadata.annotations.username
credentials:
in: authorization_header
keySelector: APIKEY
authorization:
- name: non-resource-endpoints
when:
- selector: context.request.http.path.@extract:{"sep":"/","pos":1}
operator: neq
value: resources
kubernetes:
user:
valueFrom:
authJSON: auth.identity.username
- name: resource-endpoints
when:
- selector: context.request.http.path
operator: matches
value: ^/resources(/\w+)?
kubernetes:
user:
valueFrom:
authJSON: auth.identity.username
resourceAttributes:
namespace:
value: authorino
group:
value: talker-api.authorino.kuadrant.io
resource:
value: resources
name:
valueFrom:
authJSON: context.request.http.path.@extract:{"sep":"/","pos":2}
verb:
valueFrom:
authJSON: context.request.http.method.@case:lower
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: api-consumer-1
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: api-consumer-2
---
apiVersion: v1
kind: Secret
metadata:
name: api-key-1
labels:
authorino.kuadrant.io/managed-by: authorino
audiences: talker-api
annotations:
username: john
stringData:
api_key: ndyBzreUzF4zqDQsqSPMHkRhriEOtcRx
type: Opaque
---
apiVersion: v1
kind: Secret
metadata:
name: api-key-2
labels:
authorino.kuadrant.io/managed-by: authorino
audiences: talker-api
annotations:
username: jane
stringData:
api_key: Vb8Ymt1Y2hWvaKcAcElau81ia2CsAYUn
type: Opaque
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: talker-api-greeter
rules:
- nonResourceURLs: ["/hello"]
verbs: ["post"]
- nonResourceURLs: ["/hey"]
verbs: ["post"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: talker-api-speaker
rules:
- nonResourceURLs: ["/say/*"]
verbs: ["post"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: talker-api-resource-reader
rules:
- apiGroups: ["talker-api.authorino.kuadrant.io"]
resources: ["resources"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: talker-api-greeter-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: talker-api-greeter
subjects:
- kind: ServiceAccount
name: api-consumer-1
namespace: authorino
- kind: ServiceAccount
name: api-consumer-2
namespace: authorino
- kind: User
name: john
- kind: User
name: jane
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: talker-api-speaker-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: talker-api-speaker
subjects:
- kind: ServiceAccount
name: api-consumer-1
namespace: authorino
- kind: User
name: john
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: talker-api-resource-reader-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: talker-api-resource-reader
subjects:
- kind: ServiceAccount
name: api-consumer-1
namespace: authorino
- kind: User
name: john
namespace: authorino