Last active
August 29, 2023 19:26
-
-
Save mlbiam/af19685553520161d8427adf6d16c128 to your computer and use it in GitHub Desktop.
ocp demo
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| cicd_proxy: | |
| image: docker.io/tremolosecurity/kube-oidc-proxy:latest | |
| replicas: 1 | |
| explicit_certificate_trust: true | |
| oidc: | |
| audience: https://cicd.apps-crc.testing/ | |
| issuer: ou.apps.192-168-2-79.nip.io/auth/idp/remotek8s | |
| claims: | |
| user: sub | |
| ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVDakNDQXZLZ0F3SUJBZ0lHQVlpZzJnN0RNQTBHQ1NxR1NJYjNEUUVCQ3dVQU1IOHhKREFpQmdOVkJBTU0KRzI5MUxtRndjSE11TVRreUxURTJPQzB5TFRjNUxtNXBjQzVwYnpFVE1CRUdBMVVFQ3d3S1MzVmlaWEp1WlhSbApjekVPTUF3R0ExVUVDZ3dGVFhsUGNtY3hFekFSQmdOVkJBY01DazE1SUVOc2RYTjBaWEl4Q1RBSEJnTlZCQWdNCkFERVNNQkFHQTFVRUJoTUpUWGxEYjNWdWRISjVNQjRYRFRJek1EWXdPVEUxTlRBeU5Gb1hEVEkwTURZd09ERTEKTlRBeU5Gb3dmekVrTUNJR0ExVUVBd3diYjNVdVlYQndjeTR4T1RJdE1UWTRMVEl0TnprdWJtbHdMbWx2TVJNdwpFUVlEVlFRTERBcExkV0psY201bGRHVnpNUTR3REFZRFZRUUtEQVZOZVU5eVp6RVRNQkVHQTFVRUJ3d0tUWGtnClEyeDFjM1JsY2pFSk1BY0dBMVVFQ0F3QU1SSXdFQVlEVlFRR0V3bE5lVU52ZFc1MGNua3dnZ0VpTUEwR0NTcUcKU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRREljZWNoS3lqVWsyQUlVUnBDblFMMjNRQWZkeXdnUHRacwpaNWx6UHVMbjJEQ0tFaUsxNDZDeUNYeWVIaHZYNWIyNHlRQzJoNERHam44STRTaXdrdTRDaE9YMGtFNUhkK29VCmdVMDU2UEhDNHJzdmlpS0MvY1lJVWJnaS9wT1k4dXVLQUg5T08vL3VSZDBsazkyTnJvWTZHeUgwVXBDNGhHWUcKWnZ5c2dIbG4xSGExQ3p4NGxGQlk3ZFdKZTU2M1R0b0pVam5XRExzM0ZndGhDcU9WSTVNTWpTM2V3YTNVVDR6RApoQmdOdmgxc0pvSnArZlgvTFZIcTZiVEhsVTBodnQ1VmRIQllTT1BJeG8yTVBDK3d0WkNGOE1SZVJtWWE3Vm9yCngwMHdJZnhMcHRxVk91cWJ0M1R6ZldrTnpNQWhrTWVnSHl6Zk54UUJoWC8vZ0h2bDYrd2pBZ01CQUFHamdZc3cKZ1lnd0ZnWURWUjBsQVFIL0JBd3dDZ1lJS3dZQkJRVUhBd0V3RGdZRFZSMFBBUUgvQkFRREFnV2dNRjRHQTFVZApFUVJYTUZXQ0cyOTFMbUZ3Y0hNdU1Ua3lMVEUyT0MweUxUYzVMbTVwY0M1cGI0SWJaR0l1WVhCd2N5NHhPVEl0Ck1UWTRMVEl0TnprdWJtbHdMbWx2Z2hsdmRXRndhUzR4T1RJdE1UWTRMVEl0TnprdWJtbHdMbWx2TUEwR0NTcUcKU0liM0RRRUJDd1VBQTRJQkFRQkgzazYxY1Q4YlBYdlNZZ3luT2lPSEZSZUVFNG1GQnQwemhkNG1md0prWFJEcwp1T2k5RW5kbnBjVWN0Wlp0MG8rZUIzR1oyZk1STnI3aUhHWHlWTThneC96NndxNnRCL1dyb29QVnRVYzhNWjRRCkpYczZyUHc1cHE5UUJ6UFBPaXQ4OFZwaEdRSGRFK3dpNU1qYUdsbGFEMjlTaVZJKzBITWFXR0dyRmVIMGlialQKbEV0Z0l4NWFna1pEd3BFNFVhcGdyNGR2L0RYc296N2VMS2dVY2UzUVNNVmFlOEQ0bXRpOWNSS3VtUC90SXIwWAovcGJ4SU9uYVI4aW9rdnR2ekptR0g4Yk5zTDRlVlQ1TjJoWmRGMXNkcC94aEFFaEsvZXBFcmlYWUQ5a3dKM2lnCkpNVDhYc25FYVFIbU1lQXgxWllyU3dReC9FangxaE9TdzRNSGNEYjUKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ== | |
| network: | |
| ingress_type: simple | |
| ingress_annotations: | |
| route.openshift.io/termination: "reencrypt" | |
| route.openshift.io/destination-ca-certificate-secret: ca-crt | |
| api_server_host: cicd.apps-crc.testing | |
| secure_from_ingress: true | |
| network_policies: | |
| enabled: false | |
| ingress: | |
| labels: | |
| kubernetes.io/metadata.name: kube-system | |
| services: | |
| enable_tokenrequest: false | |
| node_selectors: [] | |
| impersonation: | |
| users: | |
| - "openunison-control-plane" | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| apiVersion: openunison.tremolo.io/v1 | |
| kind: Org | |
| metadata: | |
| name: local-ocp | |
| namespace: openunison | |
| spec: | |
| label: OpenShift RoleBindings | |
| azRules: | |
| - scope: dn | |
| constraint: o=Tremolo | |
| description: Access to the remote OpenShift cluster | |
| parent: B158BD40-0C1B-11E3-8FFD-0800200C9A66 | |
| showInPortal: true | |
| showInReports: false | |
| showInRequestAccess: true | |
| uuid: org-cluster-local-ocp | |
| --- | |
| apiVersion: openunison.tremolo.io/v1 | |
| kind: GroupMetaData | |
| metadata: | |
| name: test-rolebindings-internal | |
| namespace: openunison | |
| spec: | |
| groupName: test-rolebindings-internal | |
| --- | |
| apiVersion: openunison.tremolo.io/v1 | |
| kind: Workflow | |
| metadata: | |
| name: ocp-access | |
| namespace: openunison | |
| spec: | |
| description: Manage access to the $namespace$.$name$ RoleBinding | |
| inList: true | |
| label: Manage $namespace$.$name$ access | |
| orgId: org-cluster-local-ocp | |
| dynamicConfiguration: | |
| dynamic: true | |
| className: com.tremolosecurity.provisioning.dynamicwf.JavaScriptDynamicWorkflows | |
| params: | |
| - name: target | |
| value: k8s | |
| - name: javaScript | |
| value: |- | |
| HashMap = Java.type("java.util.HashMap"); | |
| ArrayList = Java.type("java.util.ArrayList"); | |
| System = Java.type("java.lang.System"); | |
| HashSet = Java.type("java.util.HashSet"); | |
| function generateWorkflows(wf,cfg,params,authInfo) { | |
| userGroups = new HashSet(); | |
| userGroups.addAll(authInfo.getAttribs().get("groups").getValues()); | |
| workflows = new ArrayList(); | |
| var ocp = cfg.getProvisioningEngine().getTarget("k8s").getProvider(); | |
| con = ocp.createClient(); | |
| try { | |
| var roleBindings = JSON.parse(ocp.callWS(ocp.getAuthToken(),con,"/apis/rbac.authorization.k8s.io/v1/rolebindings")); | |
| for (var i=0;i<roleBindings.items.length;i++) { | |
| var roleBinding = roleBindings.items[i]; | |
| annotations = roleBinding.metadata.annotations; | |
| if (annotations) { | |
| var groupName = annotations["tremolo.io/approvers-group"]; | |
| if (groupName) { | |
| if (userGroups.contains(groupName)) { | |
| System.out.println(roleBinding); | |
| wfParams = new HashMap(); | |
| wfParams.put("namespace",roleBinding.metadata.namespace); | |
| wfParams.put("name",roleBinding.metadata.name); | |
| workflows.add(wfParams); | |
| } | |
| } | |
| } | |
| } | |
| } finally { | |
| if (con != null) { | |
| con.getHttp().close(); | |
| con.getBcm().close(); | |
| } | |
| } | |
| return workflows; | |
| } | |
| tasks: |- | |
| - taskType: customTask | |
| className: com.tremolosecurity.provisioning.customTasks.LoadAttributes | |
| params: | |
| nameAttr: uid | |
| name: | |
| - givenname | |
| - sn | |
| - taskType: customTask | |
| className: com.tremolosecurity.provisioning.customTasks.PrintUserInfo | |
| params: | |
| message: pre check for user | |
| - taskType: customTask | |
| className: com.tremolosecurity.provisioning.customTasks.JavaScriptTask | |
| params: | |
| javaScript: |- | |
| GlobalEntries = Java.type("com.tremolosecurity.server.GlobalEntries"); | |
| System = Java.type("java.lang.System"); | |
| Boolean = Java.type("java.lang.Boolean"); | |
| Attribute = Java.typeAttribute = Java.type("com.tremolosecurity.saml.Attribute"); | |
| function init(task,params) { | |
| // nothing to do | |
| } | |
| function reInit(task) { | |
| state.put("workflow_obj",task.getWorkflow()); | |
| } | |
| function doTask(user,request) { | |
| var ocp = task.getConfigManager().getProvisioningEngine().getTarget("k8s").getProvider(); | |
| con = ocp.createClient(); | |
| try { | |
| // get the RoleBinding | |
| var rb = JSON.parse(ocp.callWS(ocp.getAuthToken(),con,"/apis/rbac.authorization.k8s.io/v1/namespaces/" + request.get("namespace") + "/rolebindings/" + request.get("name"))); | |
| // get the user | |
| var userid = user.getAttribs().get("mail").getValues().get(0); | |
| // look to see if the user is in the RoleBinding already | |
| var userFound = false; | |
| var subjects = rb.subjects; | |
| if (subjects) { | |
| for ( var i=0;i<subjects.length;i++) { | |
| var subject = subjects[i]; | |
| if (subject.kind == "User" && subject.name == userid ) { | |
| userFound = true; | |
| break; | |
| } | |
| } | |
| } | |
| user.getAttribs().put("userFoundInRb",new Attribute("userFoundInRb",Boolean.toString(userFound))); | |
| if (subjects) { | |
| user.getAttribs().put("subjectsInRb",new Attribute("subjectsInRb","true")); | |
| } else { | |
| user.getAttribs().put("subjectsInRb",new Attribute("subjectsInRb","false")); | |
| } | |
| // get the approver for the RoleBinding | |
| var metadata = rb.metadata; | |
| var annotations = metadata.annotations; | |
| var groupName = annotations["tremolo.io/approvers-group"]; | |
| request.put("approvalGroupName",groupName); | |
| request.put("userid",userid); | |
| } finally { | |
| if (con != null) { | |
| con.getHttp().close(); | |
| con.getBcm().close(); | |
| } | |
| } | |
| return true; | |
| } | |
| - taskType: customTask | |
| className: com.tremolosecurity.provisioning.customTasks.PrintUserInfo | |
| params: | |
| message: post check for user | |
| - taskType: approval | |
| emailTemplate: "Approve access" | |
| mailAttr: mail | |
| failureEmailSubject: Access removed | |
| failureEmailMsg: |- | |
| Your access was removed because | |
| ${reason} | |
| label: "Approve access to RoleBinding $name$" | |
| approvers: | |
| - scope: group | |
| constraint: cn=$approvalGroupName$,ou=groups,ou=shadow,o=Tremolo | |
| onSuccess: | |
| - taskType: customTask | |
| className: com.tremolosecurity.provisioning.customTasks.PrintUserInfo | |
| params: | |
| message: "ACCESS APPROVED" | |
| - taskType: ifAttrHasValue | |
| name: "userFoundInRb" | |
| value: "true" | |
| onFailure: | |
| - taskType: ifAttrHasValue | |
| name: "subjectsInRb" | |
| value: "true" | |
| onSuccess: | |
| - taskType: customTask | |
| className: com.tremolosecurity.provisioning.customTasks.PrintUserInfo | |
| params: | |
| message: "patch1" | |
| - taskType: customTask | |
| className: com.tremolosecurity.provisioning.tasks.PatchK8sObject | |
| params: | |
| targetName: k8s | |
| kind: RoleBinding | |
| url: "/apis/rbac.authorization.k8s.io/v1/namespaces/$namespace$/rolebindings/$name$" | |
| patchType: json | |
| template: |- | |
| [ | |
| { | |
| "op":"add", | |
| "path":"/subjects/-", | |
| "value": {"kind":"User","name":"$userid$"} | |
| } | |
| ] | |
| onFailure: | |
| - taskType: customTask | |
| className: com.tremolosecurity.provisioning.customTasks.PrintUserInfo | |
| params: | |
| message: "patch2" | |
| - taskType: customTask | |
| className: com.tremolosecurity.provisioning.tasks.PatchK8sObject | |
| params: | |
| targetName: k8s | |
| kind: RoleBinding | |
| url: "/apis/rbac.authorization.k8s.io/v1/namespaces/$namespace$/rolebindings/$name$" | |
| patchType: json | |
| template: |- | |
| [ | |
| { | |
| "op":"add", | |
| "path":"/subjects", | |
| "value": [{"kind":"User","name":"$userid$"}] | |
| } | |
| ] | |
| onFailure: | |
| - taskType: customTask | |
| className: com.tremolosecurity.provisioning.customTasks.PrintUserInfo | |
| params: | |
| message: "patch4" | |
| - taskType: customTask | |
| className: com.tremolosecurity.provisioning.tasks.PatchK8sObject | |
| params: | |
| targetName: k8s | |
| kind: RoleBinding | |
| url: "/apis/rbac.authorization.k8s.io/v1/namespaces/$namespace$/rolebindings/$name$" | |
| patchType: json | |
| template: |- | |
| [ | |
| { | |
| "op":"add", | |
| "path":"/subjects", | |
| "value": [{"kind":"User","name":"$userid$"}] | |
| } | |
| ] | |
| - taskType: customTask | |
| className: com.tremolosecurity.provisioning.customTasks.JavaScriptTask | |
| params: | |
| javaScript: |- | |
| GlobalEntries = Java.type("com.tremolosecurity.server.GlobalEntries"); | |
| System = Java.type("java.lang.System"); | |
| Boolean = Java.type("java.lang.Boolean"); | |
| Attribute = Java.type("com.tremolosecurity.saml.Attribute"); | |
| ActionType = Java.type("com.tremolosecurity.provisioning.core.ProvisioningUtil.ActionType"); | |
| function init(task,params) { | |
| // nothing to do | |
| } | |
| function reInit(task) { | |
| state.put("workflow_obj",task.getWorkflow()); | |
| } | |
| function doTask(user,request) { | |
| var approvalID = 0; | |
| if (request.containsKey("APPROVAL_ID")) { | |
| approvalID = request.get("APPROVAL_ID"); | |
| } | |
| task.getConfigManager().getProvisioningEngine().logAction("k8s",false, ActionType.Add, approvalID, task.getWorkflow(), "rolebinding-" + request.get("namespace") + "." + request.get("name") + ".subjects.name", user.getAttribs().get("mail").getValues().get(0)); | |
| return true; | |
| } | |
| onFailure: | |
| - taskType: customTask | |
| className: com.tremolosecurity.provisioning.customTasks.PrintUserInfo | |
| params: | |
| message: "ACCESS DENIED" | |
| - taskType: ifAttrHasValue | |
| name: "userFoundInRb" | |
| value: "true" | |
| onSuccess: | |
| - taskType: customTask | |
| className: com.tremolosecurity.provisioning.customTasks.JavaScriptTask | |
| params: | |
| javaScript: |- | |
| GlobalEntries = Java.type("com.tremolosecurity.server.GlobalEntries"); | |
| System = Java.type("java.lang.System"); | |
| Boolean = Java.type("java.lang.Boolean"); | |
| Attribute = Java.typeAttribute = Java.type("com.tremolosecurity.saml.Attribute"); | |
| function init(task,params) { | |
| // nothing to do | |
| } | |
| function reInit(task) { | |
| state.put("workflow_obj",task.getWorkflow()); | |
| } | |
| function doTask(user,request) { | |
| var ocp = task.getConfigManager().getProvisioningEngine().getTarget("k8s").getProvider(); | |
| con = ocp.createClient(); | |
| try { | |
| // get the RoleBinding | |
| var rb = JSON.parse(ocp.callWS(ocp.getAuthToken(),con,"/apis/rbac.authorization.k8s.io/v1/namespaces/" + request.get("namespace") + "/rolebindings/" + request.get("name"))); | |
| // get the user | |
| var userid = user.getAttribs().get("mail").getValues().get(0); | |
| var newSubjects={"subjects":[]}; | |
| // look to see if the user is in the RoleBinding already | |
| var userFound = false; | |
| var subjects = rb.subjects; | |
| if (subjects) { | |
| for ( var i=0;i<subjects.length;i++) { | |
| var subject = subjects[i]; | |
| if (subject.kind == "User" && subject.name == userid ) { | |
| userFound = true; | |
| } else { | |
| newSubjects.subjects.push(subject); | |
| } | |
| } | |
| } | |
| if (subjects) { | |
| user.getAttribs().put("subjectsInRb",new Attribute("subjectsInRb","true")); | |
| } else { | |
| user.getAttribs().put("subjectsInRb",new Attribute("subjectsInRb","false")); | |
| } | |
| request.put("patchData",JSON.stringify(newSubjects)); | |
| } finally { | |
| if (con != null) { | |
| con.getHttp().close(); | |
| con.getBcm().close(); | |
| } | |
| } | |
| return true; | |
| } | |
| - taskType: customTask | |
| className: com.tremolosecurity.provisioning.customTasks.PrintUserInfo | |
| params: | |
| message: "patch5" | |
| - taskType: customTask | |
| className: com.tremolosecurity.provisioning.tasks.PatchK8sObject | |
| params: | |
| targetName: k8s | |
| kind: RoleBinding | |
| url: "/apis/rbac.authorization.k8s.io/v1/namespaces/$namespace$/rolebindings/$name$?fieldManager=kubectl-edit&fieldValidation=Strict" | |
| patchType: "strategic" | |
| template: $patchData$ | |
| - taskType: customTask | |
| className: com.tremolosecurity.provisioning.customTasks.JavaScriptTask | |
| params: | |
| javaScript: |- | |
| GlobalEntries = Java.type("com.tremolosecurity.server.GlobalEntries"); | |
| System = Java.type("java.lang.System"); | |
| Boolean = Java.type("java.lang.Boolean"); | |
| Attribute = Java.type("com.tremolosecurity.saml.Attribute"); | |
| ActionType = Java.type("com.tremolosecurity.provisioning.core.ProvisioningUtil.ActionType"); | |
| function init(task,params) { | |
| // nothing to do | |
| } | |
| function reInit(task) { | |
| state.put("workflow_obj",task.getWorkflow()); | |
| } | |
| function doTask(user,request) { | |
| var approvalID = 0; | |
| if (request.containsKey("APPROVAL_ID")) { | |
| approvalID = request.get("APPROVAL_ID"); | |
| } | |
| task.getConfigManager().getProvisioningEngine().logAction("k8s",false, ActionType.Delete, approvalID, task.getWorkflow(), "rolebinding-" + request.get("namespace") + "." + request.get("name") + ".subjects.name", user.getAttribs().get("mail").getValues().get(0)); | |
| return true; | |
| } | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| apiVersion: openunison.tremolo.io/v1 | |
| kind: Target | |
| metadata: | |
| name: k8s-ocp | |
| namespace: openunison | |
| spec: | |
| className: com.tremolosecurity.unison.openshiftv3.OpenShiftTarget | |
| params: | |
| - name: url | |
| value: https://cicd.apps-crc.testing | |
| - name: certificate | |
| value: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURERENDQWZTZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBREFtTVNRd0lnWURWUVFEREJ0cGJtZHkKWlhOekxXOXdaWEpoZEc5eVFERTJPRFEzTlRVM05qQXdIaGNOTWpNd05USXlNVEUwTWpNNVdoY05NalV3TlRJeApNVEUwTWpRd1dqQW1NU1F3SWdZRFZRUUREQnRwYm1keVpYTnpMVzl3WlhKaGRHOXlRREUyT0RRM05UVTNOakF3CmdnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURPOHNtOEQ2Z1Q0YjlKQ2lzUHZLT3gKSFdBL2lwYkFDTFlwVldsUTkvanhWL3A5OVpITWtWVXdJK0x3VmhaZXZ6bW5uQ1dHWkhJMEJzV2NURWlZVGxwUApUT0szL21BMmkrMEs4U1AzN0xWZ2VuSmpqZUV5VUFqTTBlNWJHTk1DeDNubVNaQzA3V0RMcGp3V3ZMNlFRazJTCjBMYXNhbWQzenJQK2FycVpMaGZLS1BiU255aktSOWpCUjdDTjZWR1ZFVTB5bzhqakN2Y2VnaElpK1l2YVY0Zm0KajhLeitlRXJYSHh1b1lrU0k2VWtVQXhQOTZzenBMQTNQaExkZjljZ0lNS0NDOTRMazI4R0I5d244cWxyVkFMLwpWdmxxeEFjcTB2MU1UWkRadkowMVlvWVQvSW95c1FMcTdMeG92RDNEWXYxdDRIQmYvQk9IaXEvT3dtSVZwcjJUCkFnTUJBQUdqUlRCRE1BNEdBMVVkRHdFQi93UUVBd0lDcERBU0JnTlZIUk1CQWY4RUNEQUdBUUgvQWdFQU1CMEcKQTFVZERnUVdCQlJWWmRpZTh0M1o0a3ppcVBDdCtIVUpGUTZYU2pBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQQpZMGN4cEJLWmNUOHljUlRVSGVwZURwYUlTbFBqTkU3ZWVUTjhSbFFGckU2RGFmMVJiOVVTajFUNEUwSnZaK2xtCm42OVZWdVd1MkVvOTlLMzh4R1d0NmR0S3UxQWFEOU5rVVJGSXBDZWc4RVI2ZUk2SWRPdGJ3cmRRSEpCd3RQN2kKUHBxc3ZVUWVEd3VMdUFGczBRcUlma0JLQ1R2YTBOQ0NRZTVRdjdMOHVueis2WlpyNUFTRFh3ZkJiL0xVeDZFTwoxV1pnMzUvRWFoNlBZa2o4eTF3OHRlM2pMbVBYelRVc1VvKzNCS1V2ZUNGbU5lT2R4aGN1aU4rVjBWcmdWWmk0Cm9xMHV1eUJhejJoTURLWTMwWSt6djR3STFlSGFBUkNKU3Njbyt5Mm1PT0FYaDFXaFp4L2diSEFuNHRCbnZpN1IKdlRCV0xGS2RsRitEZWNIclcveTEzUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= | |
| - name: tokenType | |
| value: "oidc" | |
| - name: oidcIdp | |
| value: remotek8s | |
| - name: oidcSub | |
| value: openunison-control-plane | |
| - name: useToken | |
| value: "true" | |
| - name: oidcAudience | |
| value: https://cicd.apps-crc.testing/ | |
| - name: label | |
| value: ocp | |
| secretParams: [] | |
| targetAttributes: | |
| - name: fullName | |
| source: displayName | |
| sourceType: user | |
| --- | |
| apiVersion: openunison.tremolo.io/v1 | |
| kind: Org | |
| metadata: | |
| name: remote-ocp | |
| namespace: openunison | |
| spec: | |
| label: Remote OpenShift Cluster | |
| azRules: | |
| - scope: dn | |
| constraint: o=Tremolo | |
| description: Access to the remote OpenShift cluster | |
| parent: B158BD40-0C1B-11E3-8FFD-0800200C9A66 | |
| showInPortal: true | |
| showInReports: false | |
| showInRequestAccess: true | |
| uuid: org-cluster-remote-ocp | |
| --- | |
| apiVersion: openunison.tremolo.io/v1 | |
| kind: GroupMetaData | |
| metadata: | |
| name: test-rolebindings-internal | |
| namespace: openunison | |
| spec: | |
| groupName: test-rolebindings-internal | |
| --- | |
| apiVersion: openunison.tremolo.io/v1 | |
| kind: Workflow | |
| metadata: | |
| name: ocp-access | |
| namespace: openunison | |
| spec: | |
| description: Manage access to the $namespace$.$name$ RoleBinding | |
| inList: true | |
| label: Manage $namespace$.$name$ access | |
| orgId: org-cluster-remote-ocp | |
| dynamicConfiguration: | |
| dynamic: true | |
| className: com.tremolosecurity.provisioning.dynamicwf.JavaScriptDynamicWorkflows | |
| params: | |
| - name: target | |
| value: k8s-ocp | |
| - name: javaScript | |
| value: |- | |
| HashMap = Java.type("java.util.HashMap"); | |
| ArrayList = Java.type("java.util.ArrayList"); | |
| System = Java.type("java.lang.System"); | |
| HashSet = Java.type("java.util.HashSet"); | |
| function generateWorkflows(wf,cfg,params,authInfo) { | |
| userGroups = new HashSet(); | |
| userGroups.addAll(authInfo.getAttribs().get("groups").getValues()); | |
| workflows = new ArrayList(); | |
| var ocp = cfg.getProvisioningEngine().getTarget("k8s-ocp").getProvider(); | |
| con = ocp.createClient(); | |
| try { | |
| var roleBindings = JSON.parse(ocp.callWS(ocp.getAuthToken(),con,"/apis/rbac.authorization.k8s.io/v1/rolebindings")); | |
| for (var i=0;i<roleBindings.items.length;i++) { | |
| var roleBinding = roleBindings.items[i]; | |
| annotations = roleBinding.metadata.annotations; | |
| if (annotations) { | |
| var groupName = annotations["tremolo.io/approvers-group"]; | |
| if (groupName) { | |
| if (userGroups.contains(groupName)) { | |
| System.out.println(roleBinding); | |
| wfParams = new HashMap(); | |
| wfParams.put("namespace",roleBinding.metadata.namespace); | |
| wfParams.put("name",roleBinding.metadata.name); | |
| workflows.add(wfParams); | |
| } | |
| } | |
| } | |
| } | |
| } finally { | |
| if (con != null) { | |
| con.getHttp().close(); | |
| con.getBcm().close(); | |
| } | |
| } | |
| return workflows; | |
| } | |
| tasks: |- | |
| - taskType: customTask | |
| className: com.tremolosecurity.provisioning.customTasks.LoadAttributes | |
| params: | |
| nameAttr: uid | |
| name: | |
| - givenname | |
| - sn | |
| - taskType: customTask | |
| className: com.tremolosecurity.provisioning.customTasks.PrintUserInfo | |
| params: | |
| message: pre check for user | |
| - taskType: customTask | |
| className: com.tremolosecurity.provisioning.customTasks.JavaScriptTask | |
| params: | |
| javaScript: |- | |
| GlobalEntries = Java.type("com.tremolosecurity.server.GlobalEntries"); | |
| System = Java.type("java.lang.System"); | |
| Boolean = Java.type("java.lang.Boolean"); | |
| Attribute = Java.typeAttribute = Java.type("com.tremolosecurity.saml.Attribute"); | |
| function init(task,params) { | |
| // nothing to do | |
| } | |
| function reInit(task) { | |
| state.put("workflow_obj",task.getWorkflow()); | |
| } | |
| function doTask(user,request) { | |
| var ocp = task.getConfigManager().getProvisioningEngine().getTarget("k8s-ocp").getProvider(); | |
| con = ocp.createClient(); | |
| try { | |
| // get the RoleBinding | |
| var rb = JSON.parse(ocp.callWS(ocp.getAuthToken(),con,"/apis/rbac.authorization.k8s.io/v1/namespaces/" + request.get("namespace") + "/rolebindings/" + request.get("name"))); | |
| // get the user | |
| var userid = user.getAttribs().get("mail").getValues().get(0); | |
| // look to see if the user is in the RoleBinding already | |
| var userFound = false; | |
| var subjects = rb.subjects; | |
| for ( var i=0;i<subjects.length;i++) { | |
| var subject = subjects[i]; | |
| if (subject.kind == "User" && subject.name == userid ) { | |
| userFound = true; | |
| break; | |
| } | |
| } | |
| user.getAttribs().put("userFoundInRb",new Attribute("userFoundInRb",Boolean.toString(userFound))); | |
| // get the approver for the RoleBinding | |
| var metadata = rb.metadata; | |
| var annotations = metadata.annotations; | |
| var groupName = annotations["tremolo.io/approvers-group"]; | |
| request.put("approvalGroupName",groupName); | |
| request.put("userid",userid); | |
| } finally { | |
| if (con != null) { | |
| con.getHttp().close(); | |
| con.getBcm().close(); | |
| } | |
| } | |
| return true; | |
| } | |
| - taskType: customTask | |
| className: com.tremolosecurity.provisioning.customTasks.PrintUserInfo | |
| params: | |
| message: post check for user | |
| - taskType: approval | |
| emailTemplate: "Approve access" | |
| mailAttr: mail | |
| failureEmailSubject: Access removed | |
| failureEmailMsg: |- | |
| Your access was removed because | |
| ${reason} | |
| label: "Approve access to RoleBinding $name$" | |
| approvers: | |
| - scope: group | |
| constraint: cn=$approvalGroupName$,ou=groups,ou=shadow,o=Tremolo | |
| onSuccess: | |
| - taskType: customTask | |
| className: com.tremolosecurity.provisioning.customTasks.PrintUserInfo | |
| params: | |
| message: "ACCESS APPROVED" | |
| - taskType: ifAttrHasValue | |
| name: "userFoundInRb" | |
| value: "true" | |
| onFailure: | |
| - taskType: customTask | |
| className: com.tremolosecurity.provisioning.tasks.PatchK8sObject | |
| params: | |
| targetName: k8s-ocp | |
| kind: RoleBinding | |
| url: "/apis/rbac.authorization.k8s.io/v1/namespaces/$namespace$/rolebindings/$name$" | |
| patchType: json | |
| template: |- | |
| [ | |
| { | |
| "op":"add", | |
| "path":"/subjects/-", | |
| "value": {"kind":"User","name":"$userid$"} | |
| } | |
| ] | |
| - taskType: customTask | |
| className: com.tremolosecurity.provisioning.customTasks.JavaScriptTask | |
| params: | |
| javaScript: |- | |
| GlobalEntries = Java.type("com.tremolosecurity.server.GlobalEntries"); | |
| System = Java.type("java.lang.System"); | |
| Boolean = Java.type("java.lang.Boolean"); | |
| Attribute = Java.type("com.tremolosecurity.saml.Attribute"); | |
| ActionType = Java.type("com.tremolosecurity.provisioning.core.ProvisioningUtil.ActionType"); | |
| function init(task,params) { | |
| // nothing to do | |
| } | |
| function reInit(task) { | |
| state.put("workflow_obj",task.getWorkflow()); | |
| } | |
| function doTask(user,request) { | |
| var approvalID = 0; | |
| if (request.containsKey("APPROVAL_ID")) { | |
| approvalID = request.get("APPROVAL_ID"); | |
| } | |
| task.getConfigManager().getProvisioningEngine().logAction("k8s-ocp",false, ActionType.Add, approvalID, task.getWorkflow(), "rolebinding-" + request.get("namespace") + "." + request.get("name") + ".subjects.name", user.getAttribs().get("mail").getValues().get(0)); | |
| return true; | |
| } | |
| onFailure: | |
| - taskType: customTask | |
| className: com.tremolosecurity.provisioning.customTasks.PrintUserInfo | |
| params: | |
| message: "ACCESS DENIED" | |
| - taskType: ifAttrHasValue | |
| name: "userFoundInRb" | |
| value: "true" | |
| onSuccess: | |
| - taskType: customTask | |
| className: com.tremolosecurity.provisioning.customTasks.JavaScriptTask | |
| params: | |
| javaScript: |- | |
| GlobalEntries = Java.type("com.tremolosecurity.server.GlobalEntries"); | |
| System = Java.type("java.lang.System"); | |
| Boolean = Java.type("java.lang.Boolean"); | |
| Attribute = Java.typeAttribute = Java.type("com.tremolosecurity.saml.Attribute"); | |
| function init(task,params) { | |
| // nothing to do | |
| } | |
| function reInit(task) { | |
| state.put("workflow_obj",task.getWorkflow()); | |
| } | |
| function doTask(user,request) { | |
| var ocp = task.getConfigManager().getProvisioningEngine().getTarget("k8s-ocp").getProvider(); | |
| con = ocp.createClient(); | |
| try { | |
| // get the RoleBinding | |
| var rb = JSON.parse(ocp.callWS(ocp.getAuthToken(),con,"/apis/rbac.authorization.k8s.io/v1/namespaces/" + request.get("namespace") + "/rolebindings/" + request.get("name"))); | |
| // get the user | |
| var userid = user.getAttribs().get("mail").getValues().get(0); | |
| var newSubjects={"subjects":[]}; | |
| // look to see if the user is in the RoleBinding already | |
| var userFound = false; | |
| var subjects = rb.subjects; | |
| for ( var i=0;i<subjects.length;i++) { | |
| var subject = subjects[i]; | |
| if (subject.kind == "User" && subject.name == userid ) { | |
| userFound = true; | |
| } else { | |
| newSubjects.subjects.push(subject); | |
| } | |
| } | |
| request.put("patchData",JSON.stringify(newSubjects)); | |
| } finally { | |
| if (con != null) { | |
| con.getHttp().close(); | |
| con.getBcm().close(); | |
| } | |
| } | |
| return true; | |
| } | |
| - taskType: customTask | |
| className: com.tremolosecurity.provisioning.tasks.PatchK8sObject | |
| params: | |
| targetName: k8s-ocp | |
| kind: RoleBinding | |
| url: "/apis/rbac.authorization.k8s.io/v1/namespaces/$namespace$/rolebindings/$name$?fieldManager=kubectl-edit&fieldValidation=Strict" | |
| patchType: "strategic" | |
| template: $patchData$ | |
| - taskType: customTask | |
| className: com.tremolosecurity.provisioning.customTasks.JavaScriptTask | |
| params: | |
| javaScript: |- | |
| GlobalEntries = Java.type("com.tremolosecurity.server.GlobalEntries"); | |
| System = Java.type("java.lang.System"); | |
| Boolean = Java.type("java.lang.Boolean"); | |
| Attribute = Java.type("com.tremolosecurity.saml.Attribute"); | |
| ActionType = Java.type("com.tremolosecurity.provisioning.core.ProvisioningUtil.ActionType"); | |
| function init(task,params) { | |
| // nothing to do | |
| } | |
| function reInit(task) { | |
| state.put("workflow_obj",task.getWorkflow()); | |
| } | |
| function doTask(user,request) { | |
| var approvalID = 0; | |
| if (request.containsKey("APPROVAL_ID")) { | |
| approvalID = request.get("APPROVAL_ID"); | |
| } | |
| task.getConfigManager().getProvisioningEngine().logAction("k8s-ocp",false, ActionType.Delete, approvalID, task.getWorkflow(), "rolebinding-" + request.get("namespace") + "." + request.get("name") + ".subjects.name", user.getAttribs().get("mail").getValues().get(0)); | |
| return true; | |
| } | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| network: | |
| openunison_host: "ou.apps.192-168-2-79.nip.io" | |
| dashboard_host: "db.apps.192-168-2-79.nip.io" | |
| api_server_host: "ouapi.192-168-2-79.nip.io" | |
| session_inactivity_timeout_seconds: 900 | |
| k8s_url: https://api.crc.testing | |
| force_redirect_to_tls: true | |
| createIngressCertificate: true | |
| ingress_type: nginx | |
| ingress_annotations: {} | |
| # route.openshift.io/termination: "reencrypt" | |
| # route.openshift.io/destination-ca-certificate-secret: unison-tls | |
| cert_template: | |
| ou: "Kubernetes" | |
| o: "MyOrg" | |
| l: "My Cluster" | |
| st: "State of Cluster" | |
| c: "MyCountry" | |
| image: docker.io/tremolosecurity/betas:1.0.37 | |
| myvd_config_path: "WEB-INF/myvd.conf" | |
| k8s_cluster_name: openunison-openshift | |
| enable_impersonation: true | |
| impersonation: | |
| use_jetstack: true | |
| jetstack_oidc_proxy_image: docker.io/tremolosecurity/kube-oidc-proxy:latest | |
| explicit_certificate_trust: true | |
| dashboard: | |
| namespace: "kubernetes-dashboard" | |
| cert_name: "kubernetes-dashboard-certs" | |
| label: "k8s-app=kubernetes-dashboard" | |
| service_name: kubernetes-dashboard | |
| require_session: true | |
| enabled: false | |
| certs: | |
| use_k8s_cm: false | |
| trusted_certs: [] | |
| monitoring: | |
| prometheus_service_account: system:serviceaccount:monitoring:prometheus-k8s | |
| # Uncomment one of the below options for authentication | |
| #active_directory: | |
| # base: cn=users,dc=ent2k12,dc=domain,dc=com | |
| # host: "192.168.2.75" | |
| # port: "636" | |
| # bind_dn: "cn=Administrator,cn=users,dc=ent2k12,dc=domain,dc=com" | |
| # con_type: ldaps | |
| # srv_dns: "false" | |
| oidc: | |
| client_id: openunison | |
| issuer: https://keycloak.lab.tremolo.dev/auth/realms/ocp/ | |
| user_in_idtoken: true | |
| domain: "" | |
| scopes: openid email profile | |
| claims: | |
| sub: email | |
| email: email | |
| given_name: given_name | |
| family_name: family_name | |
| display_name: name | |
| groups: groups | |
| # azure: | |
| # tennant_id: "61cbe426-d3ca-4ebd-8ca4-e47e354a85bb" | |
| #github: | |
| # client_id: d85d77c55a08c9bcbb15 | |
| # teams: TremoloSecurity/ | |
| #saml: | |
| # idp_url: "https://portal.apps.tremolo.io/idp-test/metadata/dfbe4040-cd32-470e-a9b6-809c8f857c40" | |
| network_policies: | |
| enabled: false | |
| ingress: | |
| enabled: true | |
| labels: | |
| app.kubernetes.io/name: ingress-nginx | |
| monitoring: | |
| enabled: true | |
| labels: | |
| app.kubernetes.io/name: monitoring | |
| apiserver: | |
| enabled: false | |
| labels: | |
| app.kubernetes.io/name: kube-system | |
| services: | |
| enable_tokenrequest: false | |
| token_request_audience: api | |
| token_request_expiration_seconds: 600 | |
| node_selectors: [] | |
| openunison: | |
| #debugConfigMap: debugging | |
| #include_auth_chain: azuread-load-groups | |
| replicas: 1 | |
| non_secret_data: | |
| K8S_DB_SSO: oidc | |
| PROMETHEUS_SERVICE_ACCOUNT: system:serviceaccount:monitoring:prometheus-k8s | |
| SHOW_PORTAL_ORGS: "false" | |
| secrets: [] | |
| html: | |
| image: docker.io/tremolosecurity/openunison-k8s-html | |
| enable_provisioning: true | |
| use_standard_jit_workflow: false | |
| #az_groups: | |
| #- CN=k8s-users,CN=Users,DC=ent2k12,DC=domain,DC=com | |
| #myvd_configmap: myvdconfig | |
| # For Namespace as a Service | |
| database: | |
| hibernate_dialect: org.hibernate.dialect.MySQL5InnoDBDialect | |
| quartz_dialect: org.quartz.impl.jdbcjobstore.StdJDBCDelegate | |
| driver: com.mysql.jdbc.Driver | |
| url: jdbc:mysql://databases.lab.tremolo.dev:32640/ocpdemo | |
| user: root | |
| validation: SELECT 1 | |
| smtp: | |
| host: blackhole.blackhole.svc.cluster.local | |
| port: 1025 | |
| user: "none" | |
| from: donotreply@domain.com | |
| tls: false |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment