Access Policies (ACLs)

Reference documentation for ACLs.

ACLs are used to control fine-grained access policies of users to resources; and are validated, stored, and evaluated as an AccessPolicy resource in Omni.

At the moment, only Kubernetes cluster access (group impersonation) is supported.

Structure

AccessPolicy

The AccessPolicy is a single resource containing a set of user groups, a set of cluster groups, a list of matching rules and a list of tests.

metadata:
  namespace: default
  type: AccessPolicies.omni.sidero.dev
  id: access-policy
spec:
  usergroups:
    # match level-1 users by fnmatch expression
    level-1:
      users:
        - match: level-1*
    # match level-2 users by label selectors
    level-2:
      users:
        - labelselectors:
            - level=2
    # match level-3 users by explicit list
    level-3:
      users:
        - name: admin1@example.com
        - name: admin2@example.com
  clustergroups:
    dev:
      clusters:
        - match: dev-*
    staging:
      clusters:
        - match: staging-*
        - match: preprod-*
    production:
      clusters:
        - match: prod-*
  rules:
    - users:
        - group/level-1
      clusters:
        - group/dev
      role: Operator
    - users:
        - group/level-1
      clusters:
        - group/staging
      role: Reader
      kubernetes:
        impersonate:
          groups:
            - read-only
    - users:
        - group/level-2
      clusters:
        - group/dev
        - group/staging
      role: Operator
    - users:
        - group/level-2
      clusters:
        - group/production
      role: Reader
      kubernetes:
        impersonate:
          groups:
            - read-only
    - users:
        - group/level-3
      clusters:
        - group/dev
        - group/staging
        - group/production
      role: Admin
    # simple rule - without links to user or cluster groups
    - users:
        - vault-admin@example.com
      clusters:
        - vault
      role: Admin
  tests:
    # level-1 tests
    - name: level-1 engineer has Operator access to dev cluster
      user:
        name: level-1-a@example.com
      cluster:
        name: dev-cluster-1
      expected:
        role: Operator
    - name: level-1 engineer has read-only access to staging cluster
      user:
        name: level-1-b@example.com
      cluster:
        name: staging-cluster-1
      expected:
        role: Reader
        kubernetes:
          impersonate:
            groups:
              - read-only
    - name: level-1 engineer has no access to production cluster
      user:
        name: level-1-c@example.com
      cluster:
        name: production-cluster-1
      expected:
        role: None
        kubernetes:
          impersonate:
            groups: []
    # level-2 tests
    - name: level-2 engineer has Operator access to staging cluster
      user:
        name: something@example.com
        labels:
          level: "2"
      cluster:
        name: preprod-cluster-1
      expected:
        role: Operator
    - name: level-2 engineer has read-only access to prod cluster
      user:
        name: something@example.com
        labels:
          level: "2"
      cluster:
        name: prod-cluster-1
      expected:
        role: Reader
        kubernetes:
          impersonate:
            groups:
              - read-only
    # level-3 tests
    - name: level-3 engineer has admin access to prod cluster
      user:
        name: admin1@example.com
      cluster:
        name: prod-cluster-1
      expected:
        role: Admin
    # vault-admin tests
    - name: vault-admin has admin access to vault
      user:
        name: vault-admin@example.com
      cluster:
        name: vault
      expected:
        role: Admin
FieldTypeDescription

metadata.namespace

string

Always set to default.

metadata.type

string

AccessPolicies.omni.sidero.dev.

metadata.id

string

Always set to access-policy.

spec.usergroups

map[string]UserGroup

Map of user group names to user group definitions.

spec.clustergroups

map[string]ClusterGroup

Map of cluster group names to cluster group definitions.

spec.rules

array

List of rules to match.

spec.tests

array

List of tests to run when the resource is created or updated.

UserGroup

A UserGroup is a group of users.

users:
  - name: user1@example.com
  - name: user2@example.com
FieldTypeDescription

users

array

List of Users.

User

A User is a single user.

name: user1@example.com
match: user1*
labelselectors:
  - level=1
FieldTypeDescription

name

string

User identity used to authenticate to Omni.

match

string

fnmatch expression to match user identities.

labelselectors

array

List of label selector strings.

Note: name, match and labelselectors are mutually exclusive. Only one of them can be set to a non-zero value.

ClusterGroup

A ClusterGroup is a group of clusters.

clusters:
  - name: cluster-1
  - name: cluster-2
FieldTypeDescription

clusters

array

List of Clusters.

Cluster

A Cluster is a single cluster.

name: cluster-1
match: cluster-1*
FieldTypeDescription

name

string

Cluster name (ID).

match

fnmatch expression to match cluster names (IDs).

Note: name and match are mutually exclusive. Only one of them can be set to a non-zero value.

Rule

A Rule is a set of users, clusters and Kubernetes impersonation groups.

The reserved prefix group/ is used to reference a user group in users or a cluster group in clusters.

users:
  - user1@example.com
  - group/user-group-1
clusters:
  - cluster1
  - group/cluster-group-1
role: Operator
kubernetes:
  impersonate:
    groups:
      - system:masters
      - another-impersonation-group
FieldTypeDescription

users

array

List of Users or UserGroups.

clusters

array

List of Clusters or ClusterGroups.

role

enum

Role to grant to the user.

kubernetes.impersonate.groups

array

List of strings representing Kubernetes impersonation groups.

Role

A Role is the role to grant to the user.

Possible values: None, Reader, Operator, Admin.

Test

A Test is a single test case.

Test cases are run when the resource is created or updated, and if any of them fail, the operation is rejected.

name: support engineer has full access to staging cluster
user:
  name: support1@example.com
cluster:
  name: staging-cluster-1
expected:
  role: Operator
  kubernetes:
    impersonate:
      groups:
        - system:masters
FieldTypeDescription

name

string

Human-friendly test case name.

user

TestUser

User identity to use in the test.

cluster

TestCluster

Cluster to use in the test.

expected

Expected

Expected result.

TestUser

A TestUser is the user identity to use in a test case.

name: user1@example.com
labels:
  level: "1"
FieldTypeDescription

name

string

User identity to use in the test.

labels

map[string]string

Map of label names to label values.

TestCluster

A TestCluster is the cluster to use in a test case.

name: cluster-1
FieldTypeDescription

name

string

Cluster name (ID).

Expected

An Expected is the expected results of a test case.

role: Operator
kubernetes:
  impersonate:
    groups:
      - system:masters
      - another-impersonation-group
FieldTypeDescription

role

enum

Role to grant to the user.

kubernetes.impersonate.groups

array

List of strings representing Kubernetes impersonation groups.

Previousomnictl CLINextGenerating omnictl CLI reference