Scope rancher policy to rancher/*; move catalog grant under sys/plugins
ci/woodpecker/pr/plan Pipeline was successful
ci/woodpecker/pr/pre-commit Pipeline was successful

Addresses review: a policy's directory should be the base of the paths it
grants, so a code owner of one policy path cannot grant themselves access
elsewhere (e.g. sys or approle).

- policies/rancher/admin.yaml now grants only rancher/{config,service-accounts,
  roles}.
- Move the sudo-protected plugin-catalog grant to
  policies/sys/plugins/catalog/rancher.yaml (base path sys/plugins/catalog/),
  owned by a sys code owner.
This commit is contained in:
Ben Vincent
2026-07-18 14:23:59 +10:00
parent 6f27546207
commit 78a205259d
2 changed files with 24 additions and 15 deletions
+5 -15
View File
@@ -1,21 +1,11 @@
# Allow the vault deployer to import the rancher plugin and manage its engine
# (config, seeded service accounts, and roles).
# Allow the vault deployer to manage the rancher secrets engine: its connection
# config, seeded (auto-rotated) service-account tokens, and token-minting roles.
#
# terraform-vault registers the plugin itself (vault_plugin -> sys/plugins/catalog,
# a sudo-protected path) and manages the engine via the ranchervaultsecret
# provider, so the deployer needs catalog access on top of the mount access it
# already has (sys/mounts/*). Without this, apply 403s on the plugin
# registration and on rancher/{config,service-accounts,roles} writes.
# Scoped to rancher/* only. The plugin-catalog grant needed to import the plugin
# lives under policies/sys/plugins/catalog/ so a code owner of this policy path
# cannot grant themselves access outside the rancher mount.
---
rules:
# Import / register (and deregister) the rancher plugin in the catalog.
- path: "sys/plugins/catalog/secret/vault-plugin-secrets-rancher"
capabilities:
- create
- read
- update
- delete
- sudo
# Engine connection config.
- path: "rancher/config"
capabilities:
+19
View File
@@ -0,0 +1,19 @@
# Allow the vault deployer to import (register/deregister) the rancher secrets
# plugin in the catalog. sys/plugins/catalog is sudo-protected, so this lives
# under policies/sys/ where only a sys code owner can grant it — keeping the
# rancher engine policy (policies/rancher/) scoped to rancher/* paths.
---
rules:
- path: "sys/plugins/catalog/secret/vault-plugin-secrets-rancher"
capabilities:
- create
- read
- update
- delete
- sudo
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault