https://github.com/redhat-cop/dynamic-rbac-operator

https://github.com/redhat-cop/dynamic-rbac-operator

container-cop k8s-operator

Last synced: 9 months ago
JSON representation

• Host: GitHub
• URL: https://github.com/redhat-cop/dynamic-rbac-operator
• Owner: redhat-cop
• License: apache-2.0
• Created: 2020-10-09T15:24:48.000Z (over 5 years ago)
• Default Branch: main
• Last Pushed: 2024-04-06T08:47:15.000Z (almost 2 years ago)
• Last Synced: 2025-04-09T22:02:34.443Z (9 months ago)
• Topics: container-cop, k8s-operator
• Language: Go
• Homepage:
• Size: 85.9 KB
• Stars: 22
• Watchers: 16
• Forks: 4
• Open Issues: 13
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          





  
Dynamic RBAC Operator


  


    Flexible definitions of Kubernetes RBAC rules

  


## Table of Contents

- [About the Project](#about-the-project)

  - [Built With](#built-with)

- [Getting Started](#getting-started)

  - [Installation](#installation)

- [Usage](#usage)

- [Roadmap](#roadmap)

- [Contributing](#contributing)

- [License](#license)

- [Contact](#contact)

## About The Project

Writing Kubernetes RBAC definitions by hand can be a pain. This operator allows you to define "Dynamic" RBAC rules that change based on the state of your cluster, so you can spend your time writing the RBAC _patterns_ that you'd like to deploy, rather than traditional, fully enumerated RBAC rules.

### Built With

- [Operator-SDK](https://github.com/operator-framework/operator-sdk)

## Getting Started

### Installation

This operator can be installed with Kustomize:

`kustomize build config/default | oc apply -f -`

## Usage

Once the operator is installed, you can begin using `DynamicRole` and `DynamicClusterRole` resources within your cluster.

For example, the following `DynamicClusterRole` inherits all rules from `cluster-admin`, except the `user.openshift.io` group, and _only_ allows access to `pods` in the `metrics.k8s.io` group:

```yaml

apiVersion: rbac.redhatcop.redhat.io/v1alpha1

kind: DynamicClusterRole

metadata:

  name: admin-without-users

spec:

  inherit:

    - name: cluster-admin

      kind: ClusterRole

  deny:

    - apiGroups:

        - "user.openshift.io"

      resources:

        - "*"

      verbs:

        - "*"

    - apiGroups:

        - "metrics.k8s.io"

      resources:

        - "*"

      verbs:

        - "*"

  allow:

    - apiGroups:

        - "metrics.k8s.io"

      resources:

        - "pods"

      verbs:

        - "*"

```

will cause the operator to use the cluster's resource discovery API to enumerate all of the individual permissions of the `cluster-admin` user, and then remove access to `user.openshift.io/users` resources.

You can then create a `RoleBinding` or `ClusterRoleBinding` to `admin-without-users` (as a `ClusterRole`) as normal, and permissions will work as expected!

## Roadmap

See the [open issues](https://github.com/redhat-cop/dynamic-rbac-operator/issues) for a list of proposed features.

## Contributing

Contributions are what make the open source community such an amazing place to be learn, inspire, and create. Any contributions you make are **greatly appreciated**.

1. Fork the Project

2. Create your Feature Branch (`git checkout -b feature/AmazingFeature`)

3. Commit your Changes (`git commit -m 'Add some AmazingFeature'`)

4. Push to the Branch (`git push origin feature/AmazingFeature`)

5. Open a Pull Request

## License

Distributed under the Apache License 2.0. See `LICENSE` for more information.

## Contact

Project Link: [https://github.com/redhat-cop/dynamic-rbac-operator](https://github.com/redhat-cop/dynamic-rbac-operator)