cyberark/secrets-provider-for-k8s

View on GitHub
deploy/policy/templates/cluster-authn-svc-def.template.sh.yml

Summary

Maintainability
Test Coverage
#!/bin/bash

set -euo pipefail
cat << EOL
---
# This policy defines an authn-k8s endpoint, CA creds and a layer for whitelisted identities permitted to authenticate to it
# This policy is needed for both DEV and TEST environments
- !policy
  id: conjur/authn-k8s/${AUTHENTICATOR_ID}
  owner: !group cluster_admin
  annotations:
    description: Namespace defs for the Conjur cluster in dev
  body:
    - !webservice
      annotations:
        description: authn service for cluster

    - !policy
      id: ca
      body:
        - !variable
          id: cert
          annotations:
            description: CA cert for Kubernetes Pods.
        - !variable
          id: key
          annotations:
            description: CA key for Kubernetes Pods.

    # define layer of whitelisted authn ids permitted to call authn service
    - !layer users

    - !permit
      resource: !webservice
      privilege: [ read, authenticate ]
      role: !layer users

- !grant
  role: !layer conjur/authn-k8s/${AUTHENTICATOR_ID}/users
  members:
    - !layer conjur/authn-k8s/${AUTHENTICATOR_ID}/apps
EOL