Scope rancher policy to rancher/*; move catalog grant under sys/plugins
Addresses review: a policy's directory should be the base of the paths it
grants, so a code owner of one policy path cannot grant themselves access
elsewhere (e.g. sys or approle).
- policies/rancher/admin.yaml now grants only rancher/{config,service-accounts,
roles}.
- Move the sudo-protected plugin-catalog grant to
policies/sys/plugins/catalog/rancher.yaml (base path sys/plugins/catalog/),
owned by a sys code owner.
This commit is contained in:
@@ -0,0 +1,19 @@
|
||||
# Allow the vault deployer to import (register/deregister) the rancher secrets
|
||||
# plugin in the catalog. sys/plugins/catalog is sudo-protected, so this lives
|
||||
# under policies/sys/ where only a sys code owner can grant it — keeping the
|
||||
# rancher engine policy (policies/rancher/) scoped to rancher/* paths.
|
||||
---
|
||||
rules:
|
||||
- path: "sys/plugins/catalog/secret/vault-plugin-secrets-rancher"
|
||||
capabilities:
|
||||
- create
|
||||
- read
|
||||
- update
|
||||
- delete
|
||||
- sudo
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- tf_vault
|
||||
k8s/au/syd1:
|
||||
- woodpecker_terraform_vault
|
||||
Reference in New Issue
Block a user