Scope rancher policy to rancher/*; move catalog grant under sys/plugins
Addresses review: a policy's directory should be the base of the paths it
grants, so a code owner of one policy path cannot grant themselves access
elsewhere (e.g. sys or approle).
- policies/rancher/admin.yaml now grants only rancher/{config,service-accounts,
roles}.
- Move the sudo-protected plugin-catalog grant to
policies/sys/plugins/catalog/rancher.yaml (base path sys/plugins/catalog/),
owned by a sys code owner.
This commit is contained in:
@@ -1,21 +1,11 @@
|
||||
# Allow the vault deployer to import the rancher plugin and manage its engine
|
||||
# (config, seeded service accounts, and roles).
|
||||
# Allow the vault deployer to manage the rancher secrets engine: its connection
|
||||
# config, seeded (auto-rotated) service-account tokens, and token-minting roles.
|
||||
#
|
||||
# terraform-vault registers the plugin itself (vault_plugin -> sys/plugins/catalog,
|
||||
# a sudo-protected path) and manages the engine via the ranchervaultsecret
|
||||
# provider, so the deployer needs catalog access on top of the mount access it
|
||||
# already has (sys/mounts/*). Without this, apply 403s on the plugin
|
||||
# registration and on rancher/{config,service-accounts,roles} writes.
|
||||
# Scoped to rancher/* only. The plugin-catalog grant needed to import the plugin
|
||||
# lives under policies/sys/plugins/catalog/ so a code owner of this policy path
|
||||
# cannot grant themselves access outside the rancher mount.
|
||||
---
|
||||
rules:
|
||||
# Import / register (and deregister) the rancher plugin in the catalog.
|
||||
- path: "sys/plugins/catalog/secret/vault-plugin-secrets-rancher"
|
||||
capabilities:
|
||||
- create
|
||||
- read
|
||||
- update
|
||||
- delete
|
||||
- sudo
|
||||
# Engine connection config.
|
||||
- path: "rancher/config"
|
||||
capabilities:
|
||||
|
||||
Reference in New Issue
Block a user