78a205259d
Addresses review: a policy's directory should be the base of the paths it
grants, so a code owner of one policy path cannot grant themselves access
elsewhere (e.g. sys or approle).
- policies/rancher/admin.yaml now grants only rancher/{config,service-accounts,
roles}.
- Move the sudo-protected plugin-catalog grant to
policies/sys/plugins/catalog/rancher.yaml (base path sys/plugins/catalog/),
owned by a sys code owner.
20 lines
556 B
YAML
20 lines
556 B
YAML
# Allow the vault deployer to import (register/deregister) the rancher secrets
|
|
# plugin in the catalog. sys/plugins/catalog is sudo-protected, so this lives
|
|
# under policies/sys/ where only a sys code owner can grant it — keeping the
|
|
# rancher engine policy (policies/rancher/) scoped to rancher/* paths.
|
|
---
|
|
rules:
|
|
- path: "sys/plugins/catalog/secret/vault-plugin-secrets-rancher"
|
|
capabilities:
|
|
- create
|
|
- read
|
|
- update
|
|
- delete
|
|
- sudo
|
|
|
|
auth:
|
|
approle:
|
|
- tf_vault
|
|
k8s/au/syd1:
|
|
- woodpecker_terraform_vault
|