-
Notifications
You must be signed in to change notification settings - Fork 33
/
example.yml
99 lines (94 loc) · 2.85 KB
/
example.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
apiVersion: rbacsync.getcruise.com/v1alpha
kind: ClusterRBACSyncConfig
metadata:
name: example
spec:
bindings:
# This group is defined locally. It will match against the memberships
# declared below.
- group: cluster-admin-group
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
# This group is not declared below and won't have members unless a group
# upstream is configured.
- group: mygroup-admin@getcruise.com
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
# This group is improperly declared as a Role, instead of a ClusterRole.
# This will result in a failure event when creating this binding.
- group: someother-group
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: someother-role
# Define group memberships directly
memberships:
- group: cluster-admin-group
subjects:
- kind: User
name: a@getcruise.com
apiGroup: rbac.authorization.k8s.io
- kind: User
name: b@getcruise.com
apiGroup: rbac.authorization.k8s.io
- kind: User
name: c@getcruise.com
- group: someother-group
subjects:
- kind: User
name: a@getcruise.com
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbacsync.getcruise.com/v1alpha
kind: RBACSyncConfig
metadata:
name: example
namespace: default # namespace is required for RBACSyncConfig
spec:
bindings:
# Locally defined group that will pickup membership configuration from below.
- group: namespace-admin-group
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: namespace-admin
# It's okay to have non-existent group. This allows predeclarations and
# staged rollout.
- group: someother-group
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: someother-role
# For this group, we both declare memberships and source it from the
# upstream, creating a merged group. This allows for testing, verification or
# other situations where the upstream may not be as flexible as one might
# like.
- group: my-merged-group@getcruise.com
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: someother-role
# Define group memberships directly
memberships:
- group: my-merged-group@getcruise.com
subjects:
- kind: User
# This person will be included, even though they may not be a part of the
# group in the upstream.
name: extra@getcruise.com
apiGroup: rbac.authorization.k8s.io
- group: namespace-admin-group
subjects:
- kind: User
name: a@getcruise.com
apiGroup: rbac.authorization.k8s.io
- kind: User
name: b@getcruise.com
apiGroup: rbac.authorization.k8s.io
- kind: User
name: c@getcruise.com
apiGroup: rbac.authorization.k8s.io