Files
terraform-vault/policies/sys/plugins/catalog/rancher.yaml
T
Ben Vincent 78a205259d
ci/woodpecker/pr/plan Pipeline was successful
ci/woodpecker/pr/pre-commit Pipeline was successful
Scope rancher policy to rancher/*; move catalog grant under sys/plugins
Addresses review: a policy's directory should be the base of the paths it
grants, so a code owner of one policy path cannot grant themselves access
elsewhere (e.g. sys or approle).

- policies/rancher/admin.yaml now grants only rancher/{config,service-accounts,
  roles}.
- Move the sudo-protected plugin-catalog grant to
  policies/sys/plugins/catalog/rancher.yaml (base path sys/plugins/catalog/),
  owned by a sys code owner.
2026-07-18 14:23:59 +10:00

20 lines
556 B
YAML

# Allow the vault deployer to import (register/deregister) the rancher secrets
# plugin in the catalog. sys/plugins/catalog is sudo-protected, so this lives
# under policies/sys/ where only a sys code owner can grant it — keeping the
# rancher engine policy (policies/rancher/) scoped to rancher/* paths.
---
rules:
- path: "sys/plugins/catalog/secret/vault-plugin-secrets-rancher"
capabilities:
- create
- read
- update
- delete
- sudo
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault