tobac

command module

v0.0.0-...-bdcecd3 Latest Latest Go to latest Published: Nov 4, 2022 License: MIT Imports: 18 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/nais/tobac

Links

Open Source Insights

README ¶

ToBAC

ToBAC provides Team-Based Access Control to Kubernetes clusters. It is implemented as a Validating Admission Webhook. Kubernetes will send admission requests to this daemon and expects ToBAC to decide whether or not a user or service account will gain access to certain cluster resources.

Mode of operation

ToBAC's source of truth is a combination between command-line parameters and this list of teams maintained in Sharepoint. Cluster administrators are exempt from permission checking and must specified upon daemon startup.

The Kubernetes API server receives a write request intersecting with the ruleset specified below
The API server uses RBAC rules to decide whether or not the request should succeed
The API server then sends a HTTP query to ToBAC asking for permission
ToBAC decides whether or not access will be granted based on the resource's team label.
If the write operation in question is a DELETE operation, ToBAC must query the Kubernetes API server to get the original resource.
In case of server failure, access is only granted if failurePolicy is set to Ignore. This should be turned off

Developer access ruleset

This ruleset is governed by the ClusterRole and ClusterRoleBinding nais:developer. The actual Kubernetes resources can be found in the nais-yaml repository.

The label team-only means that the object will only be created if it has a team: <team> metadata label. Similarily, same-team implies that the action will only be possible if the user belongs to the same team as specified in the metadata label.

Resources that do not have a team label cannot be created, but they can be modified by anyone, provided that a team label is specified in the updated resource.

Creation: