{"id":17269592,"url":"https://github.com/ckotzbauer/access-manager","last_synced_at":"2025-07-16T16:37:35.747Z","repository":{"id":37048385,"uuid":"268471036","full_name":"ckotzbauer/access-manager","owner":"ckotzbauer","description":"Kubernetes-Operator to simplify RBAC configurations","archived":false,"fork":false,"pushed_at":"2024-10-04T22:46:29.000Z","size":751,"stargazers_count":16,"open_issues_count":2,"forks_count":3,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-10-16T08:16:51.293Z","etag":null,"topics":["cluster","k8s","kubernetes","kubernetes-operator","namespaces","operator","rbac","secret","sync"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ckotzbauer.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-06-01T08:51:45.000Z","updated_at":"2024-09-07T07:05:13.000Z","dependencies_parsed_at":"2023-02-18T21:15:48.631Z","dependency_job_id":"97c1a22c-2a58-42fd-b581-38563cc2799b","html_url":"https://github.com/ckotzbauer/access-manager","commit_stats":null,"previous_names":[],"tags_count":19,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ckotzbauer%2Faccess-manager","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ckotzbauer%2Faccess-manager/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ckotzbauer%2Faccess-manager/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ckotzbauer%2Faccess-manager/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ckotzbauer","download_url":"https://codeload.github.com/ckotzbauer/access-manager/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245003692,"owners_count":20545647,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cluster","k8s","kubernetes","kubernetes-operator","namespaces","operator","rbac","secret","sync"],"created_at":"2024-10-15T08:16:52.088Z","updated_at":"2025-03-22T18:34:34.909Z","avatar_url":"https://github.com/ckotzbauer.png","language":"Go","readme":"# access-manager\n\n![test](https://github.com/ckotzbauer/access-manager/workflows/test/badge.svg)\n\nThe Access-Manager is a Kubernetes-Operator using the [Operator-SDK](https://github.com/operator-framework/operator-sdk) to simplify complex [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) configurations in your cluster and spread secrets across namespaces.\n\n## Motivation\n\nThe idea for this came up, when managing many different RBAC-Roles on namespace-basis. This was getting more complex over time, and the administrator always has to ensure that the correct roles are applied for different people or ServiceAccounts in multiple namespaces. The scope of the operator is limited to the creation and removal of `RoleBinding`s and `ClusterRoleBinding`s. So all referenced `Role`s and `ClusterRole`s have to exist. Let's automate it.\n\n## Kubernetes Compatibility\n\nThe image contains versions of `k8s.io/client-go`. Kubernetes aims to provide forwards \u0026 backwards compatibility of one minor version between client and server:\n\n| access-manager | k8s.io/client-go | k8s.io/apimachinery | expected kubernetes compatibility |\n|-----------------|------------------|---------------------|-----------------------------------|\n| main | v0.28.1 | v0.28.1 | 1.27.x, 1.28.x, 1.29.x |\n| 0.12.x | v0.28.1 | v0.28.1 | 1.27.x, 1.28.x, 1.29.x |\n| 0.11.x | v0.26.0 | v0.26.0 | 1.25.x, 1.26.x, 1.27.x |\n| 0.10.x | v0.24.3 | v0.24.3 | 1.23.x, 1.24.x, 1.25.x |\n| 0.9.x | v0.23.5 | v0.23.5 | 1.22.x, 1.23.x, 1.24.x |\n| 0.8.x | v0.23.0 | v0.23.0 | 1.22.x, 1.23.x, 1.24.x |\n| 0.7.x | v0.22.1 | v0.22.1 | 1.21.x, 1.22.x, 1.23.x |\n| 0.6.x | v0.21.1 | v0.21.1 | 1.20.x, 1.21.x, 1.22.x |\n| 0.5.x | v0.20.1 | v0.20.1 | 1.19.x, 1.20.x, 1.21.x |\n| 0.4.x | v0.19.2 | v0.19.2 | 1.18.x, 1.19.x, 1.20.x |\n| 0.3.x | v0.18.8 | v0.18.8 | 1.17.x, 1.18.x, 1.19.x |\n| 0.2.x | v12.0.0 | v0.18.5 | 1.17.x, 1.18.x, 1.19.x |\n| 0.1.x | v12.0.0 | v0.18.3 | 1.17.x, 1.18.x, 1.19.x |\n\nSee the [release notes](https://github.com/ckotzbauer/access-manager/releases) for specific version compatibility information, including which\ncombination have been formally tested.\n\n## Installation\n\n**Note:** The `ServiceAccount` must have at least the permissions that it should grant. The `cluster-admin` `ClusterRole` is assigned to the `ServiceAccount` by default.\n\n#### Manifests\n\n```\nkubectl apply -f config/crd/access-manager.io_rbacdefinitions.yaml\nkubectl apply -f config/crd/access-manager.io_syncsecretdefinitions.yaml\nkubectl apply -f config/rbac\nkubectl apply -f config/manager\n```\n\n#### Helm-Chart\n\n```\nhelm repo add ckotzbauer https://ckotzbauer.github.io/helm-charts\nhelm install ckotzbauer/access-manager\n```\n\n## Examples\n\n### RBAC-Definition\n\nThe `RbacDefinition` itself is cluster-scoped.\n\n```yaml\napiVersion: access-manager.io/v1beta1\nkind: RbacDefinition\nmetadata:\n name: example-definition\nspec:\n namespaced:\n - namespace:\n name: my-product\n bindings:\n - roleName: my-product-management\n kind: Role\n subjects:\n - name: my-product-team\n kind: Group\n - name: devops-team\n kind: Group\n - namespaceSelector:\n matchLabels:\n ci: \"true\"\n bindings:\n - roleName: ci-deploy\n kind: ClusterRole\n subjects:\n - name: ci\n namespace: ci-service\n kind: ServiceAccount\n cluster:\n - name: john-view-binding\n clusterRoleName: view\n subjects:\n - name: john\n kind: User\n```\n\nThis would create the following objects:\n- A `RoleBinding` named `my-product-management` in the namespace `my-product` assigning the `my-product-management` `Role` to the `Group`s `my-product-team` and `devops-team`.\n- A `RoleBinding` named `ci-deploy` in each namespace labeled with `ci: true` assigning the `ci-deploy` `ClusterRole` to the `ServiceAccount` `ci` in the `ci-service` namespace.\n- A `ClusterRoleBinding` named `john-view-binding` assigning the `view` `ClusterRole` to the `User` `john`.\n\nFor more details, please read the [api-docs](https://github.com/ckotzbauer/access-manager/blob/master/docs/api.md) and view YAMLs in the `examples` directory.\n\n\n### Behaviors\n\n- A `RbacDefinition` can be marked as \"paused\" (set `spec.paused` to `true`), so that the operator will not interfere you.\n- The `RoleBinding`s and `ClusterRoleBinding`s are named the same as the given `Role` or `ClusterRole` unless the name is explicitly specified.\n- If there is a existing binding with the same name that is not owned by the `RbacDefinition` it is not touched.\n- The operator detects changes to all `RbacDefinition`s, `Namespace`s and `ServiceAccount`s automatically.\n\n\n### SyncSecret-Definition\n\nThe `SyncSecretDefinition` itself is cluster-scoped.\n\n```yaml\napiVersion: access-manager.io/v1beta1\nkind: SyncSecretDefinition\nmetadata:\n name: example-definition\nspec:\n source:\n name: source-secret\n namespace: default\n targets:\n - namespace:\n name: my-product\n - namespaceSelector:\n matchLabels:\n ci: \"true\"\n```\n\nThis would create the following secret:\n- A `Secret` named `source-secret` in the namespace `my-product` and each namespace labeled with `ci: true`.\n\nFor more details, please read the [api-docs](https://github.com/ckotzbauer/access-manager/blob/master/docs/api.md) and view YAMLs in the `examples` directory.\n\n\n### Behaviors\n\n- A `SyncSecretDefinition` can be marked as \"paused\" (set `spec.paused` to `true`), so that the operator will not interfere you.\n- The `Secrets`s are named the same as the given `Secret` in \"source\".\n- If there is a existing secret with the same name that is not owned by the `SyncSecretDefinition` it is not touched.\n- The operator detects changes to all `SyncSecretDefinition`s, `Namespace`s and source `Secrets`s automatically.\n\n\n## Roadmap\n\n- Expose Prometheus metrics about created bindings and reconcile errors.\n\n\n#### Credits\n\nThis projects was inspired by the [RBACManager](https://github.com/FairwindsOps/rbac-manager).\n\n[License](https://github.com/ckotzbauer/access-manager/blob/master/LICENSE)\n--------\n[Changelog](https://github.com/ckotzbauer/access-manager/blob/master/CHANGELOG.md)\n--------\n\n## Contributing\n\nPlease refer to the [Contribution guildelines](https://github.com/ckotzbauer/.github/blob/main/CONTRIBUTING.md).\n\n## Code of conduct\n\nPlease refer to the [Conduct guildelines](https://github.com/ckotzbauer/.github/blob/main/CODE_OF_CONDUCT.md).\n\n## Security\n\nPlease refer to the [Security process](https://github.com/ckotzbauer/.github/blob/main/SECURITY.md).\n\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fckotzbauer%2Faccess-manager","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fckotzbauer%2Faccess-manager","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fckotzbauer%2Faccess-manager/lists"}