Skip to content

Commit

Permalink
Fine tuned RBAC
Browse files Browse the repository at this point in the history
  • Loading branch information
@sayanh
sayanh committed Mar 4, 2020
1 parent e4e0848 commit ec43470
Show file tree
Hide file tree
Showing 3 changed files with 51 additions and 35 deletions.
1 change: 0 additions & 1 deletion components/application-connectivity-validator/internal/validationproxy/handler.go
View file
Expand Up @@ -305,7 +305,6 @@ func createReverseProxy(destinationHost string, reqOpts ...requestOption) *httpu
},
ModifyResponse: func(response *http.Response) error {
log.Infof("Host responded with status: %s", response.Status)

return nil
},
}
Expand Down
77 changes: 45 additions & 32 deletions components/application-operator/charts/application/templates/authorization-policy.yaml
View file
Expand Up @@ -16,22 +16,22 @@ spec:
- from:
- source:
principals:
- cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account
- cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account
to:
- operation:
methods:
- POST
- POST
paths:
- /{{ .Release.Name }}/v1/events
- /{{ .Release.Name }}/v2/events
- /{{ .Release.Name }}/events
- /{{ .Release.Name }}/v1/events
- /{{ .Release.Name }}/v2/events
- /{{ .Release.Name }}/events
- operation:
methods:
- GET
- PUT
- POST
- GET
- PUT
- POST
paths:
- /{{ .Release.Name }}/v1/metadata*
- /{{ .Release.Name }}/v1/metadata*
- from:
- source:
principals:
Expand Down Expand Up @@ -59,20 +59,33 @@ spec:
- from:
- source:
principals:
- cluster.local/ns/kyma-integration/sa/{{ .Release.Name }}-connectivity-validator
- cluster.local/ns/kyma-integration/sa/{{ .Release.Name }}-connectivity-validator
to:
- operation:
methods:
- POST
- POST
paths:
- /{{ .Release.Name }}/v1/events
- /{{ .Release.Name }}/v2/events
- /{{ .Release.Name }}/v1/events
- /{{ .Release.Name }}/v2/events
- operation:
methods:
- GET
- GET
paths:
- /{{ .Release.Name }}/v1/events/subscribed
- /{{ .Release.Name }}/v1/events/subscribed
- /v1/health
- from:
- source:
principals:
- cluster.local/ns/kyma-system/sa/core-console-backend-service
to:
- operation:
methods:
- GET
paths:
- /v1/health
selector:
matchLabels:
app: newapp-event-service
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
Expand All @@ -85,23 +98,23 @@ metadata:
namespace: kyma-integration
spec:
rules:
- to:
- operation:
methods:
- GET
paths:
- /metrics
- from:
- source:
principals:
- cluster.local/ns/knative-serving/sa/controller
to:
- operation:
methods:
- POST
- GET
paths:
- /*
- from:
- source:
principals:
- cluster.local/ns/knative-serving/sa/controller
to:
- operation:
methods:
- GET
paths:
- /metrics
- to:
- operation:
methods:
- POST
- GET
paths:
- /*
selector:
matchLabels:
serving.knative.dev/service: {{ .Release.Name }}
Expand Down
8 changes: 6 additions & 2 deletions components/application-operator/charts/application/templates/role-binding.yaml
View file
Expand Up @@ -87,9 +87,13 @@ metadata:
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules:
- apiGroups: ["*"]
resources: ["namespaces", "subscriptions", "triggers"]
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list", "watch"]
- apiGroups: ["eventing.knative.dev"]
resources: ["triggers"]
verbs: ["get", "list", "watch"]

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
Expand Down

0 comments on commit ec43470

Please sign in to comment.