From 33a746e545cf76e83f59a8463f5c84392783cf09 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 14 Feb 2026 19:46:39 +1100 Subject: [PATCH] feat: add kubernetes ldap groups vault's terraform approle doesnt need to access all of these kubernetes roles, it was just added as a placeholder and access to the kubernetes roles was via the `vault_admin` to-much-access account. this is an effort to roll back that and make access more targeted. - add kubernetes* ldap groups for specific cluster/role combinations - remove tf_vault from kubernetes* roles --- .../ldap/kubernetes_au_syd1_cluster_admin.yaml | 3 +++ .../ldap/kubernetes_au_syd1_cluster_operator.yaml | 3 +++ .../auth_ldap_group/ldap/kubernetes_au_syd1_cluster_root.yaml | 3 +++ policies/kubernetes/au/syd1/creds/cluster-admin.yaml | 4 ++-- policies/kubernetes/au/syd1/creds/cluster-operator.yaml | 4 ++-- policies/kubernetes/au/syd1/creds/cluster-root.yaml | 2 ++ 6 files changed, 15 insertions(+), 4 deletions(-) create mode 100644 config/auth_ldap_group/ldap/kubernetes_au_syd1_cluster_admin.yaml create mode 100644 config/auth_ldap_group/ldap/kubernetes_au_syd1_cluster_operator.yaml create mode 100644 config/auth_ldap_group/ldap/kubernetes_au_syd1_cluster_root.yaml diff --git a/config/auth_ldap_group/ldap/kubernetes_au_syd1_cluster_admin.yaml b/config/auth_ldap_group/ldap/kubernetes_au_syd1_cluster_admin.yaml new file mode 100644 index 0000000..9c43d98 --- /dev/null +++ b/config/auth_ldap_group/ldap/kubernetes_au_syd1_cluster_admin.yaml @@ -0,0 +1,3 @@ +--- +# this file doesnt need anything in it, so this data is just to make sure yamlencode reads some yaml data +description: foo diff --git a/config/auth_ldap_group/ldap/kubernetes_au_syd1_cluster_operator.yaml b/config/auth_ldap_group/ldap/kubernetes_au_syd1_cluster_operator.yaml new file mode 100644 index 0000000..9c43d98 --- /dev/null +++ b/config/auth_ldap_group/ldap/kubernetes_au_syd1_cluster_operator.yaml @@ -0,0 +1,3 @@ +--- +# this file doesnt need anything in it, so this data is just to make sure yamlencode reads some yaml data +description: foo diff --git a/config/auth_ldap_group/ldap/kubernetes_au_syd1_cluster_root.yaml b/config/auth_ldap_group/ldap/kubernetes_au_syd1_cluster_root.yaml new file mode 100644 index 0000000..9c43d98 --- /dev/null +++ b/config/auth_ldap_group/ldap/kubernetes_au_syd1_cluster_root.yaml @@ -0,0 +1,3 @@ +--- +# this file doesnt need anything in it, so this data is just to make sure yamlencode reads some yaml data +description: foo diff --git a/policies/kubernetes/au/syd1/creds/cluster-admin.yaml b/policies/kubernetes/au/syd1/creds/cluster-admin.yaml index 68a3781..87e5f37 100644 --- a/policies/kubernetes/au/syd1/creds/cluster-admin.yaml +++ b/policies/kubernetes/au/syd1/creds/cluster-admin.yaml @@ -6,5 +6,5 @@ rules: - update auth: - approle: - - tf_vault + ldap: + - kubernetes_au_syd1_cluster_admin diff --git a/policies/kubernetes/au/syd1/creds/cluster-operator.yaml b/policies/kubernetes/au/syd1/creds/cluster-operator.yaml index 7f5dde7..82c7665 100644 --- a/policies/kubernetes/au/syd1/creds/cluster-operator.yaml +++ b/policies/kubernetes/au/syd1/creds/cluster-operator.yaml @@ -6,5 +6,5 @@ rules: - update auth: - approle: - - tf_vault + ldap: + - kubernetes_au_syd1_cluster_operator diff --git a/policies/kubernetes/au/syd1/creds/cluster-root.yaml b/policies/kubernetes/au/syd1/creds/cluster-root.yaml index 0409ca0..ef70cab 100644 --- a/policies/kubernetes/au/syd1/creds/cluster-root.yaml +++ b/policies/kubernetes/au/syd1/creds/cluster-root.yaml @@ -8,3 +8,5 @@ rules: auth: approle: - terraform_k8s + ldap: + - kubernetes_au_syd1_cluster_root -- 2.47.3