feat: add kubernetes secrets engine with RBAC roles for au-syd1 cluster
- Add Kubernetes secrets engine at kubernetes/au/syd1 path
- Create four RBAC roles with external YAML configuration:
* media-apps-operator: namespaced role for media-apps with selective permissions
* cluster-operator: cluster-wide read-only access to specific API groups
* cluster-admin: cluster-wide full access to specific API groups
* cluster-root: cluster-wide superuser access to all resources
- Add Vault policies for credential generation for each role
- Add admin policies for kubernetes auth backend configuration and role management
- Refactor kubernetes auth backend to use shared locals for CA certificate
- Update terraform-vault approle with required kubernetes policies
This commit is contained in:
@@ -0,0 +1,23 @@
|
||||
---
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
- "postgresql.cnpg.io"
|
||||
- "cert-manager.io"
|
||||
- "rbac.authorization.k8s.io"
|
||||
- "batch"
|
||||
- "secrets.hashicorp.com"
|
||||
- "storage.k8s.io"
|
||||
- "apps"
|
||||
- "apiextensions.k8s.io"
|
||||
- "externaldns.k8s.io"
|
||||
- "autoscaling"
|
||||
- "networking.k8s.io"
|
||||
- "purelb.io"
|
||||
- "nfd.k8s-sigs.io"
|
||||
- "policy"
|
||||
- "metrics.k8s.io"
|
||||
resources:
|
||||
- "*"
|
||||
verbs:
|
||||
- "*"
|
||||
@@ -0,0 +1,25 @@
|
||||
---
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
- "postgresql.cnpg.io"
|
||||
- "cert-manager.io"
|
||||
- "rbac.authorization.k8s.io"
|
||||
- "batch"
|
||||
- "secrets.hashicorp.com"
|
||||
- "storage.k8s.io"
|
||||
- "apps"
|
||||
- "apiextensions.k8s.io"
|
||||
- "externaldns.k8s.io"
|
||||
- "autoscaling"
|
||||
- "networking.k8s.io"
|
||||
- "purelb.io"
|
||||
- "nfd.k8s-sigs.io"
|
||||
- "policy"
|
||||
- "metrics.k8s.io"
|
||||
resources:
|
||||
- "*"
|
||||
verbs:
|
||||
- "get"
|
||||
- "list"
|
||||
- "watch"
|
||||
@@ -0,0 +1,8 @@
|
||||
---
|
||||
rules:
|
||||
- apiGroups:
|
||||
- "*"
|
||||
resources:
|
||||
- "*"
|
||||
verbs:
|
||||
- "*"
|
||||
@@ -0,0 +1,49 @@
|
||||
---
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- "pods"
|
||||
- "services"
|
||||
- "configmaps"
|
||||
- "secrets"
|
||||
- "endpoints"
|
||||
- "persistentvolumeclaims"
|
||||
verbs:
|
||||
- "get"
|
||||
- "list"
|
||||
- "watch"
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- "pods/log"
|
||||
verbs:
|
||||
- "get"
|
||||
- "list"
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- "pods/exec"
|
||||
verbs:
|
||||
- "create"
|
||||
- apiGroups:
|
||||
- "apps"
|
||||
resources:
|
||||
- "deployments"
|
||||
- "replicasets"
|
||||
- "statefulsets"
|
||||
- "daemonsets"
|
||||
verbs:
|
||||
- "get"
|
||||
- "list"
|
||||
- "watch"
|
||||
- "patch"
|
||||
- apiGroups:
|
||||
- "extensions"
|
||||
- "networking.k8s.io"
|
||||
resources:
|
||||
- "ingresses"
|
||||
verbs:
|
||||
- "get"
|
||||
- "list"
|
||||
- "watch"
|
||||
Reference in New Issue
Block a user