Access Policies (ACLs)
Reference documentation for ACLs.
ACLs are used to control fine-grained access policies of users to resources; and are validated, stored, and evaluated as an AccessPolicy
resource in Omni.
At the moment, only Kubernetes cluster access (group impersonation) is supported.
Structure
AccessPolicy
AccessPolicy
The AccessPolicy
is a single resource containing a set of user groups, a set of cluster groups, a list of matching rules and a list of tests.
Field | Type | Description |
---|---|---|
| string | Always set to |
| string |
|
| string | Always set to |
| map[string]UserGroup | Map of user group names to user group definitions. |
| map[string]ClusterGroup | Map of cluster group names to cluster group definitions. |
| array | List of rules to match. |
| array | List of tests to run when the resource is created or updated. |
UserGroup
UserGroup
A UserGroup
is a group of users.
Field | Type | Description |
---|---|---|
| array | List of Users. |
User
User
A User
is a single user.
Field | Type | Description |
---|---|---|
| string | User identity used to authenticate to Omni. |
| string | fnmatch expression to match user identities. |
| array | List of label selector strings. |
Note: name
, match
and labelselectors
are mutually exclusive. Only one of them can be set to a non-zero value.
ClusterGroup
ClusterGroup
A ClusterGroup
is a group of clusters.
Field | Type | Description |
---|---|---|
| array | List of Clusters. |
Cluster
Cluster
A Cluster
is a single cluster.
Field | Type | Description |
---|---|---|
| string | Cluster name (ID). |
| fnmatch expression to match cluster names (IDs). |
Note: name
and match
are mutually exclusive. Only one of them can be set to a non-zero value.
Rule
Rule
A Rule
is a set of users, clusters and Kubernetes impersonation groups.
The reserved prefix group/
is used to reference a user group in users
or a cluster group in clusters
.
Field | Type | Description |
---|---|---|
| array | |
| array | List of Clusters or ClusterGroups. |
| enum | Role to grant to the user. |
| array | List of |
Role
Role
A Role
is the role to grant to the user.
Possible values: None
, Reader
, Operator
, Admin
.
Test
Test
A Test
is a single test case.
Test cases are run when the resource is created or updated, and if any of them fail, the operation is rejected.
Field | Type | Description |
---|---|---|
| string | Human-friendly test case name. |
| User identity to use in the test. | |
| Cluster to use in the test. | |
| Expected result. |
TestUser
TestUser
A TestUser
is the user identity to use in a test case.
Field | Type | Description |
---|---|---|
| string | User identity to use in the test. |
| map[string]string | Map of label names to label values. |
TestCluster
TestCluster
A TestCluster
is the cluster to use in a test case.
Field | Type | Description |
---|---|---|
| string | Cluster name (ID). |
Expected
Expected
An Expected
is the expected results of a test case.
Field | Type | Description |
---|---|---|
| enum | Role to grant to the user. |
| array | List of |