Dynamic RBAC Operator

Flexible definitions of Kubernetes RBAC rules

Table of Contents

• About the Project
  • Built With
• Getting Started
  • Installation
• Usage
• Roadmap
• Contributing
• License
• Contact

About The Project

Writing Kubernetes RBAC definitions by hand can be a pain. This operator allows you to define "Dynamic" RBAC rules that change based on the state of your cluster, so you can spend your time writing the RBAC patterns that you'd like to deploy, rather than traditional, fully enumerated RBAC rules.

Built With

• Operator-SDK

Getting Started

Installation

This operator can be installed with Kustomize:

kustomize build config/default | oc apply -f -

Usage

Once the operator is installed, you can begin using DynamicRole and DynamicClusterRole resources within your cluster.

For example, the DynamicClusterRole:

apiVersion: rbac.redhatcop.redhat.io/v1alpha1
kind: DynamicClusterRole
metadata:
  name: admin-without-users
spec:
  inherit:
    - name: cluster-admin
      kind: ClusterRole
  deny:
    - apiGroups:
        - "user.openshift.io"
      resources:
        - "users"
      verbs:
        - "*"

will cause the operator to use the cluster's resource discovery API to enumerate all of the individual permissions of the cluster-admin user, and then remove access to user.openshift.io/users resources.

You can then create a RoleBinding or ClusterRoleBinding to admin-without-users (as a ClusterRole) as normal, and permissions will work as expected!

Roadmap

See the open issues for a list of proposed features.

Known Issues

1. Only one role can be inherited right now, even though it is spec'd as a list, because ruleset merging is still WIP.
2. Allow lists are in the spec but not yet implemented, because of the same reason as above.
3. This operator requires cluster-admin privileges, because it needs to be able to write RBAC rules that grant arbitrary permissions that it doesn't actually need itself. make manifests currently overwrites this.

Contributing

Contributions are what make the open source community such an amazing place to be learn, inspire, and create. Any contributions you make are greatly appreciated.

1. Fork the Project
2. Create your Feature Branch (git checkout -b feature/AmazingFeature)
3. Commit your Changes (git commit -m 'Add some AmazingFeature')
4. Push to the Branch (git push origin feature/AmazingFeature)
5. Open a Pull Request

License

Distributed under the Apache License 2.0. See LICENSE for more information.

Contact

Project Link: https://github.com/redhat-cop/dynamic-rbac-operator