From 144ed2da7bd9f0817b3848fe749407abe6863558 Mon Sep 17 00:00:00 2001 From: Jared Rodriguez Date: Mon, 10 Feb 2020 12:18:47 -0600 Subject: [PATCH 1/3] add allowAllAuthenticated option --- stable/opsportal/Chart.yaml | 2 +- .../templates/ingress-opsportal-rolebinding.yaml | 16 ++++++++++++++++ stable/opsportal/values.yaml | 8 ++++++++ 3 files changed, 25 insertions(+), 1 deletion(-) create mode 100644 stable/opsportal/templates/ingress-opsportal-rolebinding.yaml diff --git a/stable/opsportal/Chart.yaml b/stable/opsportal/Chart.yaml index 168ed9ace..0b4780845 100644 --- a/stable/opsportal/Chart.yaml +++ b/stable/opsportal/Chart.yaml @@ -3,7 +3,7 @@ appVersion: 1.0.0 home: https://github.com/mesosphere/charts description: OpsPortal Chart name: opsportal -version: 0.2.3 +version: 0.2.4 maintainers: - name: hectorj2f - name: alejandroEsc diff --git a/stable/opsportal/templates/ingress-opsportal-rolebinding.yaml b/stable/opsportal/templates/ingress-opsportal-rolebinding.yaml new file mode 100644 index 000000000..ada1fba6a --- /dev/null +++ b/stable/opsportal/templates/ingress-opsportal-rolebinding.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.opsportalRBAC.enabled .Values.opsportalRBAC.allowAllAuthenticated }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +name: opsportal-allauthenticated +labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +roleRef: + apiGroup: rbac.authorization.k8s.io + name: opsportal-admin +subjects: +- apiGroup: "rbac.authorization.k8s.io" + kind: Group + name: system:allauthenticated +{{- end}} \ No newline at end of file diff --git a/stable/opsportal/values.yaml b/stable/opsportal/values.yaml index fd8782736..0485c188c 100644 --- a/stable/opsportal/values.yaml +++ b/stable/opsportal/values.yaml @@ -50,6 +50,14 @@ opsportalRBAC: enabled: true path: /ops/portal graphqlPath: /ops/portal/graphql + ## traefik-forward-auth 2.0 introduces RBAC support and now requires that users, regardless of whitelist, + ## be allowed access to a resource via explicit RBAC policy. Upon upgrade, whitelisted users would no longer + ## have access to ops portal resources unless an appropriate role binding existed. To prevent breakage, + ## the allowAllAuthenticated option, when true, will result in the group `system:allauthenticated` being bound to + ## to the opsportal-admin role. This mimics the existing security policy where any authenticated and whitelisted user + ## has full access to the opsportal. In 1.4, this option will be removed and users will be expected to create + ## role bindings for specific users and groups. + allowAllAuthenticated: true kibanaRBAC: enabled: true From b278efc0b7305a2d447c801a5152dde342b1eeeb Mon Sep 17 00:00:00 2001 From: Jared Rodriguez Date: Mon, 10 Feb 2020 14:48:35 -0600 Subject: [PATCH 2/3] system:authenticated --- .../templates/ingress-opsportal-rolebinding.yaml | 14 ++++++++------ stable/opsportal/values.yaml | 5 ++--- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/stable/opsportal/templates/ingress-opsportal-rolebinding.yaml b/stable/opsportal/templates/ingress-opsportal-rolebinding.yaml index ada1fba6a..b30077e4b 100644 --- a/stable/opsportal/templates/ingress-opsportal-rolebinding.yaml +++ b/stable/opsportal/templates/ingress-opsportal-rolebinding.yaml @@ -1,16 +1,18 @@ {{- if and .Values.opsportalRBAC.enabled .Values.opsportalRBAC.allowAllAuthenticated }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding -name: opsportal-allauthenticated -labels: - app.kubernetes.io/managed-by: {{ .Release.Service | quote }} - app.kubernetes.io/instance: {{ .Release.Name | quote }} - app.kubernetes.io/version: {{ .Chart.AppVersion }} +metadata: + name: opsportal-authenticated-admin + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} roleRef: apiGroup: rbac.authorization.k8s.io name: opsportal-admin + kind: ClusterRole subjects: - apiGroup: "rbac.authorization.k8s.io" kind: Group - name: system:allauthenticated + name: system:authenticated {{- end}} \ No newline at end of file diff --git a/stable/opsportal/values.yaml b/stable/opsportal/values.yaml index 0485c188c..ea90833c3 100644 --- a/stable/opsportal/values.yaml +++ b/stable/opsportal/values.yaml @@ -55,9 +55,8 @@ opsportalRBAC: ## have access to ops portal resources unless an appropriate role binding existed. To prevent breakage, ## the allowAllAuthenticated option, when true, will result in the group `system:allauthenticated` being bound to ## to the opsportal-admin role. This mimics the existing security policy where any authenticated and whitelisted user - ## has full access to the opsportal. In 1.4, this option will be removed and users will be expected to create - ## role bindings for specific users and groups. - allowAllAuthenticated: true + ## has full access to the opsportal. This option will be removed in the 0.3 release of this chart. + allowAllAuthenticated: false kibanaRBAC: enabled: true From c5131ea38d9baa2e719d5f913e6754ab69eb7614 Mon Sep 17 00:00:00 2001 From: Jared Rodriguez Date: Mon, 10 Feb 2020 14:52:10 -0600 Subject: [PATCH 3/3] newline --- stable/opsportal/templates/ingress-opsportal-rolebinding.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/opsportal/templates/ingress-opsportal-rolebinding.yaml b/stable/opsportal/templates/ingress-opsportal-rolebinding.yaml index b30077e4b..0f33f5a3c 100644 --- a/stable/opsportal/templates/ingress-opsportal-rolebinding.yaml +++ b/stable/opsportal/templates/ingress-opsportal-rolebinding.yaml @@ -15,4 +15,4 @@ subjects: - apiGroup: "rbac.authorization.k8s.io" kind: Group name: system:authenticated -{{- end}} \ No newline at end of file +{{- end}}