Dynamic RBAC Operator
Flexible definitions of Kubernetes RBAC rules
Table of Contents
About The Project
Writing Kubernetes RBAC definitions by hand can be a pain. This operator allows you to define "Dynamic" RBAC rules that change based on the state of your cluster, so you can spend your time writing the RBAC patterns that you'd like to deploy, rather than traditional, fully enumerated RBAC rules.
Built With
Getting Started
Definitely still have to write this section...
Installation
This will probably just be a Helm chart.
Usage
Once the operator is installed, you can begin using DynamicRole
and DynamicClusterRole
resources within your cluster.
For example, the DynamicClusterRole
:
apiVersion: rbac.jacobsee.com/v1alpha1
kind: DynamicClusterRole
metadata:
name: admin-without-users
spec:
inherit:
name: cluster-admin
kind: ClusterRole
deny:
- apiGroups:
- 'user.openshift.io'
resources:
- 'users'
verbs:
- '*'
will cause the operator to use the cluster's resource discovery API to enumerate all of the individual permissions of the cluster-admin
user, and then remove access to user.openshift.io/users
resources.
You can then create a RoleBinding
or ClusterRoleBinding
to admin-without-users
(as a ClusterRole
) as normal, and permissions will work as expected!
Roadmap
See the open issues for a list of proposed features (and known issues).
Contributing
Contributions are what make the open source community such an amazing place to be learn, inspire, and create. Any contributions you make are greatly appreciated.
- Fork the Project
- Create your Feature Branch (
git checkout -b feature/AmazingFeature
)
- Commit your Changes (
git commit -m 'Add some AmazingFeature'
)
- Push to the Branch (
git push origin feature/AmazingFeature
)
- Open a Pull Request
License
Distributed under the Apache License 2.0. See LICENSE
for more information.
Your Name - @jacobsee
Project Link: https://github.com/jacobsee/dynamic-rbac-operator