78a205259d
Addresses review: a policy's directory should be the base of the paths it
grants, so a code owner of one policy path cannot grant themselves access
elsewhere (e.g. sys or approle).
- policies/rancher/admin.yaml now grants only rancher/{config,service-accounts,
roles}.
- Move the sudo-protected plugin-catalog grant to
policies/sys/plugins/catalog/rancher.yaml (base path sys/plugins/catalog/),
owned by a sys code owner.
46 lines
1.1 KiB
YAML
46 lines
1.1 KiB
YAML
# Allow the vault deployer to manage the rancher secrets engine: its connection
|
|
# config, seeded (auto-rotated) service-account tokens, and token-minting roles.
|
|
#
|
|
# Scoped to rancher/* only. The plugin-catalog grant needed to import the plugin
|
|
# lives under policies/sys/plugins/catalog/ so a code owner of this policy path
|
|
# cannot grant themselves access outside the rancher mount.
|
|
---
|
|
rules:
|
|
# Engine connection config.
|
|
- path: "rancher/config"
|
|
capabilities:
|
|
- create
|
|
- read
|
|
- update
|
|
- delete
|
|
# Seeded, auto-rotated service-account tokens (+ manual rotate).
|
|
- path: "rancher/service-accounts/*"
|
|
capabilities:
|
|
- create
|
|
- read
|
|
- update
|
|
- delete
|
|
- list
|
|
- path: "rancher/service-accounts"
|
|
capabilities:
|
|
- read
|
|
- list
|
|
# Token-minting roles.
|
|
- path: "rancher/roles/*"
|
|
capabilities:
|
|
- create
|
|
- read
|
|
- update
|
|
- delete
|
|
- list
|
|
- path: "rancher/roles"
|
|
capabilities:
|
|
- read
|
|
- list
|
|
|
|
auth:
|
|
approle:
|
|
- tf_vault
|
|
k8s/au/syd1:
|
|
- woodpecker_terraform_vault
|