Skip to main content
ACLs are used to control fine-grained access policies of users to resources; and are validated, stored, and evaluated as an AccessPolicy resource in Omni. At the moment, only Kubernetes cluster access (group impersonation) is supported.

Structure

AccessPolicy

The AccessPolicy is a single resource containing a set of user groups, a set of cluster groups, a list of matching rules and a list of tests. 
metadata:
  namespace: default
  type: AccessPolicies.omni.sidero.dev
  id: access-policy
spec:
  usergroups:
    # match level-1 users by fnmatch expression
    level-1:
      users:
        - match: level-1*
    # match level-2 users by label selectors
    level-2:
      users:
        - labelselectors:
            - level=2
    # match level-3 users by explicit list
    level-3:
      users:
        - name: admin1@example.com
        - name: admin2@example.com
  clustergroups:
    dev:
      clusters:
        - match: dev-*
    staging:
      clusters:
        - match: staging-*
        - match: preprod-*
    production:
      clusters:
        - match: prod-*
  rules:
    - users:
        - group/level-1
      clusters:
        - group/dev
      role: Operator
    - users:
        - group/level-1
      clusters:
        - group/staging
      role: Reader
      kubernetes:
        impersonate:
          groups:
            - read-only
    - users:
        - group/level-2
      clusters:
        - group/dev
        - group/staging
      role: Operator
    - users:
        - group/level-2
      clusters:
        - group/production
      role: Reader
      kubernetes:
        impersonate:
          groups:
            - read-only
    - users:
        - group/level-3
      clusters:
        - group/dev
        - group/staging
        - group/production
      role: Admin
    # simple rule - without links to user or cluster groups
    - users:
        - vault-admin@example.com
      clusters:
        - vault
      role: Admin
  tests:
    # level-1 tests
    - name: level-1 engineer has Operator access to dev cluster
      user:
        name: level-1-a@example.com
      cluster:
        name: dev-cluster-1
      expected:
        role: Operator
    - name: level-1 engineer has read-only access to staging cluster
      user:
        name: level-1-b@example.com
      cluster:
        name: staging-cluster-1
      expected:
        role: Reader
        kubernetes:
          impersonate:
            groups:
              - read-only
    - name: level-1 engineer has no access to production cluster
      user:
        name: level-1-c@example.com
      cluster:
        name: production-cluster-1
      expected:
        role: None
        kubernetes:
          impersonate:
            groups: []
    # level-2 tests
    - name: level-2 engineer has Operator access to staging cluster
      user:
        name: something@example.com
        labels:
          level: "2"
      cluster:
        name: preprod-cluster-1
      expected:
        role: Operator
    - name: level-2 engineer has read-only access to prod cluster
      user:
        name: something@example.com
        labels:
          level: "2"
      cluster:
        name: prod-cluster-1
      expected:
        role: Reader
        kubernetes:
          impersonate:
            groups:
              - read-only
    # level-3 tests
    - name: level-3 engineer has admin access to prod cluster
      user:
        name: admin1@example.com
      cluster:
        name: prod-cluster-1
      expected:
        role: Admin
    # vault-admin tests
    - name: vault-admin has admin access to vault
      user:
        name: vault-admin@example.com
      cluster:
        name: vault
      expected:
        role: Admin
FieldTypeDescription
metadata.namespacestringAlways set to default.
metadata.typestringAccessPolicies.omni.sidero.dev.
metadata.idstringAlways set to access-policy.
spec.usergroupsmap[string]UserGroupMap of user group names to user group definitions.
spec.clustergroupsmap[string]ClusterGroupMap of cluster group names to cluster group definitions.
spec.rulesarrayList of rules to match.
spec.testsarrayList of tests to run when the resource is created or updated.

UserGroup

A UserGroup is a group of users. 
users:
  - name: user1@example.com
  - name: user2@example.com
FieldTypeDescription
usersarrayList of Users.

User

A User is a single user. 
name: user1@example.com
match: user1*
labelselectors:
  - level=1
FieldTypeDescription
namestringUser identity used to authenticate to Omni.
matchstringfnmatch expression to match user identities.
labelselectorsarrayList of label selector strings.
Note: name, match and labelselectors are mutually exclusive. Only one of them can be set to a non-zero value.

ClusterGroup

A ClusterGroup is a group of clusters. 
clusters:
  - name: cluster-1
  - name: cluster-2
FieldTypeDescription
clustersarrayList of Clusters.

Cluster

A Cluster is a single cluster. 
name: cluster-1
match: cluster-1*
FieldTypeDescription
namestringCluster name (ID).
matchfnmatch expression to match cluster names (IDs).
Note: name and match are mutually exclusive. Only one of them can be set to a non-zero value.

Rule

A Rule is a set of users, clusters and Kubernetes impersonation groups. The reserved prefix group/ is used to reference a user group in users or a cluster group in clusters. 
users:
  - user1@example.com
  - group/user-group-1
clusters:
  - cluster1
  - group/cluster-group-1
role: Operator
kubernetes:
  impersonate:
    groups:
      - system:masters
      - another-impersonation-group
FieldTypeDescription
usersarrayList of Users or UserGroups.
clustersarrayList of Clusters or ClusterGroups.
roleenumRole to grant to the user.
kubernetes.impersonate.groupsarrayList of strings representing Kubernetes impersonation groups.

Role

A Role is the role to grant to the user. Possible values: None, Reader, Operator, Admin.

Test

A Test is a single test case. Test cases are run when the resource is created or updated, and if any of them fail, the operation is rejected. 
name: support engineer has full access to staging cluster
user:
  name: support1@example.com
cluster:
  name: staging-cluster-1
expected:
  role: Operator
  kubernetes:
    impersonate:
      groups:
        - system:masters
FieldTypeDescription
namestringHuman-friendly test case name.
userTestUserUser identity to use in the test.
clusterTestClusterCluster to use in the test.
expectedExpectedExpected result.

TestUser

A TestUser is the user identity to use in a test case. 
name: user1@example.com
labels:
  level: "1"
FieldTypeDescription
namestringUser identity to use in the test.
labelsmap[string]stringMap of label names to label values.

TestCluster

A TestCluster is the cluster to use in a test case. 
name: cluster-1
FieldTypeDescription
namestringCluster name (ID).

Expected

An Expected is the expected results of a test case. 
role: Operator
kubernetes:
  impersonate:
    groups:
      - system:masters
      - another-impersonation-group
FieldTypeDescription
roleenumRole to grant to the user.
kubernetes.impersonate.groupsarrayList of strings representing Kubernetes impersonation groups.