Skip to content

Commit

Permalink
feat(scripts): add script to create users
Browse files Browse the repository at this point in the history
Also, added `ClusterRoles` for use with this script.

Signed-off-by: Bradley Reynolds <[email protected]>
Signed-off-by: Siddhesh Mhadnak <[email protected]>
  • Loading branch information
shenanigansd authored and sid-maddy committed Aug 9, 2024
1 parent e393ffc commit 7a78fe0
Show file tree
Hide file tree
Showing 6 changed files with 438 additions and 5 deletions.
13 changes: 8 additions & 5 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
# Secrets
secrets.yaml

# Helm
kubernetes/chart/charts/*.tgz
# Secrets
secrets.yaml

# Helm
kubernetes/chart/charts/*.tgz

# Generated kube configs
*.config
18 changes: 18 additions & 0 deletions kubernetes/manifests/_/rbac/cluster-roles/vipyrsec-admins.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole

metadata:
name: vipyrsec-admins

rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
- nonResourceURLs:
- '*'
verbs:
- '*'
52 changes: 52 additions & 0 deletions kubernetes/manifests/_/rbac/cluster-roles/vipyrsec-core-devs.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole

metadata:
name: vipyrsec-core-devs

rules:
- apiGroups:
- ''
resources:
- pods
- services
- configmaps
- secrets
verbs:
- list
- get
- patch
- update

- apiGroups:
- apps
resources:
- daemonsets
- replicasets
- deployments
verbs:
- list
- get
- patch
- update

- apiGroups:
- batch
resources:
- jobs
verbs:
- list
- get
- patch
- update

- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- list
- get
- patch
- update
40 changes: 40 additions & 0 deletions kubernetes/manifests/_/rbac/cluster-roles/vipyrsec.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole

metadata:
name: vipyrsec

rules:
- apiGroups:
- ''
resources:
- pods
- services
- configmaps
- secrets
verbs:
- list

- apiGroups:
- apps
resources:
- daemonsets
- replicasets
- deployments
verbs:
- list

- apiGroups:
- batch
resources:
- jobs
verbs:
- list

- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- list
65 changes: 65 additions & 0 deletions kubernetes/rbac/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
# Kubernetes RBAC

## Create a user

> [!IMPORTANT]
> Make sure to set the `kubectl` context to the cluster to which you want to add the user!
```bash
./create_user.py <user> -g <group>
```

This will,

1. Create a private key for the user
2. Provision a client certificate for the user using the private key
3. Grant the permissions for the requested groups to the user
4. Generate a kubeconfig using the private key, and the client certificate for use with `kubectl`

### Examples

1. Create a user `foo` with group `vipyrsec`

```bash
./create_user.py foo -g vipyrsec
```

2. Create a user `bar` with groups `vipyrsec`, and `vipyrsec-core-devs` with a day's validity

```bash
./create_user.py bar -g vipyrsec -g vipyrsec-core-devs --expiry-seconds 86400
```

## Revoke a user's access granted by a specific role

> [!IMPORTANT]
> Make sure to set the `kubectl` context to the cluster from which you want to revoke the user's access!
```bash
kubectl delete clusterrolebinding <user>@<group>
```

### Example

Revoke user `foo`'s access granted by `vipyrsec-core-devs`

```bash
kubectl delete clusterrolebinding foo@vipyrsec-core-devs
```

## Revoke all permissions granted to a user (AKA, delete the user)

> [!IMPORTANT]
> Make sure to set the `kubectl` context to the cluster from which you want to revoke the user's access!
```bash
kubectl delete clusterrolebinding -luser=<user>
```

### Example

Revoke all permissions granted to user `foo`

```bash
kubectl delete clusterrolebinding -luser=foo
```
Loading

0 comments on commit 7a78fe0

Please sign in to comment.