Glob/Wildcard support for roles #58
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Two main changes: 1) Use `StrListContainsGlob` instead of `StrListContains` to allow for globbed names/namespaces - seemed like the path of least resistance 2) Update the `setupBackend` to accept the test role's allowed SA name/namespace as parameters, allowing to test globbed namespaces
nathkn
changed the title
|
Can someone please take a look at this PR? It'll make k8s auth much more usable for certain use cases. |
|
Thanks! |
|
Hey just catching up on this to track issue #47. Ordering of StrListContainsGlob is undefined, so an entry for "foo" and "f*" may get the "f*" match, or may get the "foo" wildcard. This makes it impossible to have hardcoded service accounts wild a wildcard catch-all (which is likely the most desirable usage of wildcards). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Solves #47
Allows for roles to specify their namespaces as globbed patterns:
vault write auth/kubernetes/role/my-role \ bound_service_account_names=my-globbed-sa-* \ bound_service_account_namespaces=my-globbed-namespace-* \ policies=default \ ttl=1hTwo main changes:
Use
StrListContainsGlobinstead ofStrListContainsto allow forglobbed names/namespaces - seemed like the path of least resistance
Update the
setupBackendtest function to accept the test role's allowed SAname/namespace as parameters, allowing testing of globbed namespaces
Not sure if more logic around this is needed since kubernetes names are pretty limited with regard to special characters anyway.