diff --git a/README.md b/README.md index 895289da..69479561 100644 --- a/README.md +++ b/README.md @@ -49,12 +49,12 @@ As you might expect, this will run in your current Kubernetes context. If you do ### As a Kubernetes Job -Also quite straightforward, you can apply the YAML from the `example/k8s` directory of this repository to run RBAC Manager within your cluster. In this case, you'll want to add you're RBAC Manager configuration in the ConfigMap (`example/k8s/2-config.yaml`). +Also quite straightforward, you can apply the YAML from the `example/k8s/job` directory of this repository to run RBAC Manager within your cluster. In this case, you'll want to add you're RBAC Manager configuration in the ConfigMap (`example/k8s/controller/02-configmap.yaml`). Once the ConfigMap represents the RBAC state you want to achieve, you can run the job with a simple command: ``` -kubectl apply -f example/k8s +kubectl apply -f example/k8s/controller ``` Once the job has completed, you can clean things up by removing the namespace it creates with this command: @@ -65,28 +65,17 @@ kubectl delete namespace rbac-manager ### As a Kubernetes Controller -RBAC Manager can also be run as a controler and uses Custom Resources to store the yaml file from above. To create the controller: +RBAC Manager can also be run as a controler using custom resources to store this format of RBAC configuration. These custom resources are `rbacdefinitions`. The RBAC Manager controller listens for `rbacdefinition` updates, and will automatically make the requested changes when a `rbacdefinition` is created or updated. + +Sample Kubernetes configuration for this pattern is available in `example/k8s/controller`. You can run this example in your cluster with this command: + ``` -# Create the namespace -kubectl apply -f example/k8s/00-namespaces.yaml -# Create the serviceAccount and roleBinding for rbac_manager -kubectl apply -f example/k8s/01-rbac.yaml -# Create the customResourceDefinition -kubectl apply -f example/k8s/05-customresourcedefinition.yaml -# Create the controller -kubectl apply -f example/k8s/07-controller.yaml +kubectl apply -f example/k8s/controller ``` -Once the `customResourceDefinition` is applied, you can create the resource that defines the RBAC `users`/`serviceAccounts`, the `role`s, and the `roleBinding`s. Use `kubectl apply -f example/k8s/06/customresource.yaml` as and example. - ### As part of a CI Workflow -Ideally RBAC manager will be used in a CI workflow. In addition to our standard Docker images, we provide a secondary image with each release that includes some helpful dependencies for continuous integration. There is a working example of what this could look like in `examples/ci`. - - -## Future Plans - -We're very interested in implementing this with a Kubernetes operator pattern. Instead of a single update task, this operator would run on each cluster and listen for changes to custom configuration resources. +Ideally RBAC manager will be used in a CI workflow. In addition to our standard Docker images, we provide a secondary image with each release that includes some helpful dependencies for continuous integration. There is a working example of what this could look like in `examples/ci`. ## License Apache License 2.0 diff --git a/examples/k8s/03-configmap.yaml b/examples/k8s/03-configmap.yaml deleted file mode 100644 index b884b563..00000000 --- a/examples/k8s/03-configmap.yaml +++ /dev/null @@ -1,39 +0,0 @@ ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: rbac-manager-config - namespace: rbac-manager -data: - rbac.yaml: |- - - user: one@example.com - clusterRoleBindings: - - clusterRole: cluster-admin - - user: two@example.com - clusterRoleBindings: - - clusterRole: edit - roleBindings: - - clusterRole: cluster-admin - namespace: default - - user: three@example.com - roleBindings: - - clusterRole: edit - namespace: default - - role: nginx-ingress-role - namespace: nginx-ingress - - clusterRole: view - namespace: kube-lego - - user: four@example.com - roleBindings: - - clusterRole: edit - namespace: default - - clusterRole: view - namespace: kube-lego - - user: five@example.com - roleBindings: - - clusterRole: admin - namespace: default - - clusterRole: edit - namespace: nginx-ingress - - clusterRole: view - namespace: kube-lego diff --git a/examples/k8s/06-customerresource.yaml b/examples/k8s/06-customerresource.yaml deleted file mode 100644 index 713a4853..00000000 --- a/examples/k8s/06-customerresource.yaml +++ /dev/null @@ -1,39 +0,0 @@ ---- -apiVersion: rbacmanager.k8s.io/v1 -kind: RBACDefinition -metadata: - name: rbac-manager-config - namespace: rbac-manager -data: - rbac: |- - - user: one@example.com - clusterRoleBindings: - - clusterRole: cluster-admin - - user: two@example.com - clusterRoleBindings: - - clusterRole: edit - roleBindings: - - clusterRole: cluster-admin - namespace: default - - user: three@example.com - roleBindings: - - clusterRole: edit - namespace: default - - role: nginx-ingress-role - namespace: nginx-ingress - - clusterRole: view - namespace: kube-lego - - user: four@example.com - roleBindings: - - clusterRole: edit - namespace: default - - clusterRole: view - namespace: kube-lego - - user: five@example.com - roleBindings: - - clusterRole: admin - namespace: default - - clusterRole: edit - namespace: nginx-ingress - - clusterRole: view - namespace: kube-lego diff --git a/examples/k8s/00-namespace.yaml b/examples/k8s/controller/00-namespace.yaml similarity index 100% rename from examples/k8s/00-namespace.yaml rename to examples/k8s/controller/00-namespace.yaml diff --git a/examples/k8s/01-rbac.yaml b/examples/k8s/controller/01-rbac.yaml similarity index 83% rename from examples/k8s/01-rbac.yaml rename to examples/k8s/controller/01-rbac.yaml index 9f1cd62e..d32e3263 100644 --- a/examples/k8s/01-rbac.yaml +++ b/examples/k8s/controller/01-rbac.yaml @@ -10,24 +10,20 @@ metadata: name: rbac-manager rules: - apiGroups: - - rbac.authorization.k8s.io + - rbacmanager.k8s.io resources: - - clusterrolebindings - - rolebindings + - rbacdefinitions verbs: - - create - - delete - get - list - - patch - - update + - watch - apiGroups: - - rbacmanager.k8s.io + - rbac.authorization.k8s.io + - authorization.k8s.io resources: - - rbacdefinitions + - '*' verbs: - - get - - list + - '*' --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding diff --git a/examples/k8s/05-customresourcedefinition.yml b/examples/k8s/controller/02-rbacdefinition-crd.yml similarity index 100% rename from examples/k8s/05-customresourcedefinition.yml rename to examples/k8s/controller/02-rbacdefinition-crd.yml diff --git a/examples/k8s/controller/03-rbacdefinition.yaml b/examples/k8s/controller/03-rbacdefinition.yaml new file mode 100644 index 00000000..2412243c --- /dev/null +++ b/examples/k8s/controller/03-rbacdefinition.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: rbacmanager.k8s.io/v1 +kind: RBACDefinition +metadata: + name: rbac-manager-config + namespace: rbac-manager +data: + rbac: |- + - user: one@example.com + clusterRoleBindings: + - clusterRole: cluster-admin + - user: two@example.com + clusterRoleBindings: + - clusterRole: edit + roleBindings: + - clusterRole: cluster-admin + namespace: default diff --git a/examples/k8s/07-controller.yaml b/examples/k8s/controller/04-controller.yaml similarity index 77% rename from examples/k8s/07-controller.yaml rename to examples/k8s/controller/04-controller.yaml index a56c4d41..77c76475 100644 --- a/examples/k8s/07-controller.yaml +++ b/examples/k8s/controller/04-controller.yaml @@ -16,6 +16,6 @@ spec: spec: serviceAccountName: rbac-manager containers: - image: quay.io/reactiveops/rbac-manager:latest - name: rbac-manager - + - name: rbac-manager + image: quay.io/reactiveops/rbac-manager:latest + diff --git a/examples/k8s/job/00-namespace.yaml b/examples/k8s/job/00-namespace.yaml new file mode 100644 index 00000000..e520401a --- /dev/null +++ b/examples/k8s/job/00-namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: rbac-manager \ No newline at end of file diff --git a/examples/k8s/job/01-rbac.yaml b/examples/k8s/job/01-rbac.yaml new file mode 100644 index 00000000..a2057be5 --- /dev/null +++ b/examples/k8s/job/01-rbac.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: rbac-manager + namespace: rbac-manager +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: rbac-manager +rules: + - apiGroups: + - rbac.authorization.k8s.io + - authorization.k8s.io + resources: + - '*' + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: rbac-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: rbac-manager +subjects: + - kind: ServiceAccount + name: rbac-manager + namespace: rbac-manager diff --git a/examples/k8s/job/02-configmap.yaml b/examples/k8s/job/02-configmap.yaml new file mode 100644 index 00000000..fada9791 --- /dev/null +++ b/examples/k8s/job/02-configmap.yaml @@ -0,0 +1,17 @@ +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: rbac-manager-config + namespace: rbac-manager +data: + rbac.yaml: |- + - user: one@example.com + clusterRoleBindings: + - clusterRole: cluster-admin + - user: two@example.com + clusterRoleBindings: + - clusterRole: edit + roleBindings: + - clusterRole: cluster-admin + namespace: default diff --git a/examples/k8s/04-job.yaml b/examples/k8s/job/03-job.yaml similarity index 73% rename from examples/k8s/04-job.yaml rename to examples/k8s/job/03-job.yaml index 5508e3b3..8dd255d7 100644 --- a/examples/k8s/04-job.yaml +++ b/examples/k8s/job/03-job.yaml @@ -1,26 +1,25 @@ apiVersion: batch/v1 kind: Job metadata: - name: rbac-manager-2 + name: rbac-manager namespace: rbac-manager spec: - backoffLimit: 1 + backoffLimit: 0 template: spec: restartPolicy: Never serviceAccountName: rbac-manager containers: - name: rbac-manager - image: quay.io/robertjscott/rbac-manager:0.1.3 + image: quay.io/reactiveops/rbac-manager:latest command: - - python - - manage-rbac.py - - --config + - python + - manage_rbac.py + - --config - config/rbac.yaml volumeMounts: - name: rbac-manager-config mountPath: /rbac-manager/config - volumes: - name: rbac-manager-config configMap: diff --git a/manage_rbac.py b/manage_rbac.py index 293fccb8..7ff1c491 100644 --- a/manage_rbac.py +++ b/manage_rbac.py @@ -10,7 +10,7 @@ from kubernetes.client.rest import ApiException -logging.basicConfig(level=logging.DEBUG, format='%(levelname)s: %(message)s') +logging.basicConfig(level=logging.INFO, format='%(levelname)s: %(message)s') logger = logging.getLogger(__name__)