Access Policies (ACLs)

Reference documentation for ACLs.

ACLs are used to control fine-grained access policies of users to resources; and are validated, stored, and evaluated as an AccessPolicy resource in Omni.

At the moment, only Kubernetes cluster access (group impersonation) is supported.

Structure

`AccessPolicy`

The AccessPolicy is a single resource containing a set of user groups, a set of cluster groups, a list of matching rules and a list of tests.

metadata:
  namespace: default
  type: AccessPolicies.omni.sidero.dev
  id: access-policy
spec:
  usergroups:
    # match level-1 users by fnmatch expression
    level-1:
      users:
        - match: level-1*
    # match level-2 users by label selectors
    level-2:
      users:
        - labelselectors:
            - level=2
    # match level-3 users by explicit list
    level-3:
      users:
        - name: admin1@example.com
        - name: admin2@example.com
  clustergroups:
    dev:
      clusters:
        - match: dev-*
    staging:
      clusters:
        - match: staging-*
        - match: preprod-*
    production:
      clusters:
        - match: prod-*
  rules:
    - users:
        - group/level-1
      clusters:
        - group/dev
      role: Operator
    - users:
        - group/level-1
      clusters:
        - group/staging
      role: Reader
      kubernetes:
        impersonate:
          groups:
            - read-only
    - users:
        - group/level-2
      clusters:
        - group/dev
        - group/staging
      role: Operator
    - users:
        - group/level-2
      clusters:
        - group/production
      role: Reader
      kubernetes:
        impersonate:
          groups:
            - read-only
    - users:
        - group/level-3
      clusters:
        - group/dev
        - group/staging
        - group/production
      role: Admin
    # simple rule - without links to user or cluster groups
    - users:
        - vault-admin@example.com
      clusters:
        - vault
      role: Admin
  tests:
    # level-1 tests
    - name: level-1 engineer has Operator access to dev cluster
      user:
        name: level-1-a@example.com
      cluster:
        name: dev-cluster-1
      expected:
        role: Operator
    - name: level-1 engineer has read-only access to staging cluster
      user:
        name: level-1-b@example.com
      cluster:
        name: staging-cluster-1
      expected:
        role: Reader
        kubernetes:
          impersonate:
            groups:
              - read-only
    - name: level-1 engineer has no access to production cluster
      user:
        name: level-1-c@example.com
      cluster:
        name: production-cluster-1
      expected:
        role: None
        kubernetes:
          impersonate:
            groups: []
    # level-2 tests
    - name: level-2 engineer has Operator access to staging cluster
      user:
        name: something@example.com
        labels:
          level: "2"
      cluster:
        name: preprod-cluster-1
      expected:
        role: Operator
    - name: level-2 engineer has read-only access to prod cluster
      user:
        name: something@example.com
        labels:
          level: "2"
      cluster:
        name: prod-cluster-1
      expected:
        role: Reader
        kubernetes:
          impersonate:
            groups:
              - read-only
    # level-3 tests
    - name: level-3 engineer has admin access to prod cluster
      user:
        name: admin1@example.com
      cluster:
        name: prod-cluster-1
      expected:
        role: Admin
    # vault-admin tests
    - name: vault-admin has admin access to vault
      user:
        name: vault-admin@example.com
      cluster:
        name: vault
      expected:
        role: Admin

Field

Type

Description

metadata.namespace

string

Always set to default.

metadata.type

string

AccessPolicies.omni.sidero.dev.

metadata.id

string

Always set to access-policy.

spec.usergroups

map[string]

Map of user group names to user group definitions.

spec.clustergroups

map[string]

Map of cluster group names to cluster group definitions.

spec.rules

array

List of to match.

spec.tests

array

List of to run when the resource is created or updated.

`UserGroup`

A UserGroup is a group of users.

users:
  - name: user1@example.com
  - name: user2@example.com

Field

Type

Description

users

array

List of s.

`User`

A User is a single user.

name: user1@example.com
match: user1*
labelselectors:
  - level=1

Field

Type

Description

name

string

User identity used to authenticate to Omni.

match

string

expression to match user identities.

labelselectors

array

List of label selector strings.

Note: name, match and labelselectors are mutually exclusive. Only one of them can be set to a non-zero value.

`ClusterGroup`

A ClusterGroup is a group of clusters.

clusters:
  - name: cluster-1
  - name: cluster-2

Field

Type

Description

clusters

array

List of s.

`Cluster`

A Cluster is a single cluster.

name: cluster-1
match: cluster-1*

Field

Type

Description

name

string

Cluster name (ID).

match

expression to match cluster names (IDs).

Note: name and match are mutually exclusive. Only one of them can be set to a non-zero value.

`Rule`

A Rule is a set of users, clusters and Kubernetes impersonation groups.

The reserved prefix group/ is used to reference a user group in users or a cluster group in clusters.

users:
  - user1@example.com
  - group/user-group-1
clusters:
  - cluster1
  - group/cluster-group-1
role: Operator
kubernetes:
  impersonate:
    groups:
      - system:masters
      - another-impersonation-group

Field

Type

Description

users

array

List of s or s.

clusters

array

List of s or s.

role

enum

to grant to the user.

kubernetes.impersonate.groups

array

List of strings representing Kubernetes impersonation groups.

`Role`

A Role is the role to grant to the user.

Possible values: None, Reader, Operator, Admin.

`Test`

A Test is a single test case.

Test cases are run when the resource is created or updated, and if any of them fail, the operation is rejected.

name: support engineer has full access to staging cluster
user:
  name: support1@example.com
cluster:
  name: staging-cluster-1
expected:
  role: Operator
  kubernetes:
    impersonate:
      groups:
        - system:masters

Field

Type

Description

name

string

Human-friendly test case name.

user

User identity to use in the test.

cluster

Cluster to use in the test.

expected

Expected result.

`TestUser`

A TestUser is the user identity to use in a test case.

name: user1@example.com
labels:
  level: "1"

Field

Type

Description

name

string

User identity to use in the test.

labels

map[string]string

Map of label names to label values.

`TestCluster`

A TestCluster is the cluster to use in a test case.

name: cluster-1

Field

Type

Description

name

string

Cluster name (ID).

`Expected`

An Expected is the expected results of a test case.

role: Operator
kubernetes:
  impersonate:
    groups:
      - system:masters
      - another-impersonation-group

Field

Type

Description

role

enum

to grant to the user.

kubernetes.impersonate.groups

array

List of strings representing Kubernetes impersonation groups.

Previousomnictl CLI NextGenerating omnictl CLI reference