Files
terraform-vault/policies/rancher/admin.yaml
T
Ben Vincent 78a205259d
ci/woodpecker/pr/plan Pipeline was successful
ci/woodpecker/pr/pre-commit Pipeline was successful
Scope rancher policy to rancher/*; move catalog grant under sys/plugins
Addresses review: a policy's directory should be the base of the paths it
grants, so a code owner of one policy path cannot grant themselves access
elsewhere (e.g. sys or approle).

- policies/rancher/admin.yaml now grants only rancher/{config,service-accounts,
  roles}.
- Move the sudo-protected plugin-catalog grant to
  policies/sys/plugins/catalog/rancher.yaml (base path sys/plugins/catalog/),
  owned by a sys code owner.
2026-07-18 14:23:59 +10:00

46 lines
1.1 KiB
YAML

# Allow the vault deployer to manage the rancher secrets engine: its connection
# config, seeded (auto-rotated) service-account tokens, and token-minting roles.
#
# Scoped to rancher/* only. The plugin-catalog grant needed to import the plugin
# lives under policies/sys/plugins/catalog/ so a code owner of this policy path
# cannot grant themselves access outside the rancher mount.
---
rules:
# Engine connection config.
- path: "rancher/config"
capabilities:
- create
- read
- update
- delete
# Seeded, auto-rotated service-account tokens (+ manual rotate).
- path: "rancher/service-accounts/*"
capabilities:
- create
- read
- update
- delete
- list
- path: "rancher/service-accounts"
capabilities:
- read
- list
# Token-minting roles.
- path: "rancher/roles/*"
capabilities:
- create
- read
- update
- delete
- list
- path: "rancher/roles"
capabilities:
- read
- list
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault