- K8s authorization attributes
- ResourceAttributes
- NonResourceAttributes
- garm resource attributes
var namespace, verb, group, resource, name string
- verb
config.yaml,map_rule.tld.platform.verb_mappings- key-value mapping
- resource
config.yaml,map_rule.tld.platform.resource_mappings- key-value mapping
- group
- is
""ifmap_rule.tld.platform.api_group_control == false config.yaml,map_rule.tld.platform.api_group_mappings- key-value mapping
- is
- name
- is
""ifmap_rule.tld.platform.resource_name_control == false config.yaml,map_rule.tld.platform.resource_name_mappings- key-value mapping
- is
- Map env. variable in Athenz service domain
- expectation
- split by
. - for each token matches
_.*_, subsitute with env. variable (except_namespace_)
- split by
- example
_k8s_cluster_._namespace_.athenz.service.domain=>SANDBOX._namespace_.athenz.service.domainconfig.GetActualValue("k8s_cluster") == "SANDBOX"
- expectation
- Map namespace in Athenz admain (both admin & service domain)
- expectation
- subsitute
_namespace_string inmap_rule.tld.platform.admin_athenz_domainwith garm resource attributesnamespace
- subsitute
- example
athenz.domain._namespace_=>athenz.domain.kaas_namespacenamespace = kaas_namespace
- expectation
- Map k8s user to Athenz principal
- expectation
- remove
service_account_prefixes - subsitute namespace
- subsitute
: - if service account, prepend
athenz_service_account_prefix - if not service account, prepend
athenz_user_prefix
- remove
- example
service_a:_namespace_:k8s_user=>domain_a.k8s.kaas_namespace.k8s_userservice_account_prefixes = []string{"service_a"}athenz_service_account_prefix = "domain_a.k8s."namespace = kaas_namespace
service_b:service_c:k8s_user=>domain_b.serviceaccount.service_c.k8s_userservice_account_prefixes = []string{"service_b", "service_c"}athenz_service_account_prefix = "domain_b.k8s."
service_b:k8s_user=>domain_c.k8s.k8s_userservice_account_prefixes = []string{"service_a", "service_b"}athenz_service_account_prefix = "domain_c.k8s."
k8s_user=>user.k8s_userathenz_user_prefix = "user."
- expectation
P.S. It may be easier to read the code directly. createAthenzDomains(), GetAdminDomain(), BuildDomainsFromNamespace(), PrincipalFromUser()
in black_list AND NOT in white_list=> directly rejectconfig.yaml,map_rule.tld.platform.black_list&map_rule.tld.platform.white_list
- Matching logic
- create rule RegExp for matching
- Garm resource attribute is serialized before matching with the rule RegExp.
- create rule RegExp for matching
- Example
RequestInfo{ Verb: "get", Namespace: "kube-system", APIGroup: "*", Resource: "secrets", Name: "alertmanager"}=> check with Athenz- black_list contains
RequestInfo{ Verb: "*", Namespace: "kube-system", APIGroup: "*", Resource: "*", Name: "*"}. - white_list contains
RequestInfo{ Verb: "get", Namespace: "kube-system", APIGroup: "*", Resource: "secrets", Name: "alertmanager"}.
- black_list contains
RequestInfo{ Verb: "get", Namespace: "kube-system", APIGroup: "*", Resource: "secrets", Name: "my-secret"}=> directly reject- black_list contains
RequestInfo{ Verb: "*", Namespace: "kube-system", APIGroup: "*", Resource: "*", Name: "*"}. - white_list ONLY contains
RequestInfo{ Verb: "get", Namespace: "kube-system", APIGroup: "*", Resource: "secrets", Name: "alertmanager"}.
- black_list contains
in admin_access_list=> use admin domainconfig.yaml,map_rule.tld.platform.admin_access_list
- Matching logic
- same as above
- Athenz service domain
- Athenz admin domain (2 requests to Athenz, OR logic, any one is allowed implies the action is allowed.)
