From b29b59a0817b59d597a84def35121d446e380278 Mon Sep 17 00:00:00 2001 From: Pratik Bandarkar Date: Thu, 9 Oct 2025 11:03:17 +0100 Subject: [PATCH 1/2] feat: Base configuration to deploy rbac-manager --- .../base/services/rbac-manager/README.md | 14 + .../helm-values/hardened-values-1.21.1.yaml | 128 ++++++++ .../services/rbac-manager/helmrelease.yaml | 37 +++ .../services/rbac-manager/kustomization.yaml | 13 + .../base/services/rbac-manager/namespace.yaml | 5 + .../rbac-definitions/kustomization.yaml | 5 + .../rbac-definitions/oidc-rbac-templates.yaml | 293 ++++++++++++++++++ .../base/services/rbac-manager/source.yaml | 8 + 8 files changed, 503 insertions(+) create mode 100644 applications/base/services/rbac-manager/README.md create mode 100644 applications/base/services/rbac-manager/helm-values/hardened-values-1.21.1.yaml create mode 100644 applications/base/services/rbac-manager/helmrelease.yaml create mode 100644 applications/base/services/rbac-manager/kustomization.yaml create mode 100644 applications/base/services/rbac-manager/namespace.yaml create mode 100644 applications/base/services/rbac-manager/rbac-definitions/kustomization.yaml create mode 100644 applications/base/services/rbac-manager/rbac-definitions/oidc-rbac-templates.yaml create mode 100644 applications/base/services/rbac-manager/source.yaml diff --git a/applications/base/services/rbac-manager/README.md b/applications/base/services/rbac-manager/README.md new file mode 100644 index 0000000..dac9774 --- /dev/null +++ b/applications/base/services/rbac-manager/README.md @@ -0,0 +1,14 @@ +# RBAC Manager – Base Configuration + +This directory contains the **base manifests** for deploying [RBAC Manager](https://github.com/FairwindsOps/rbac-manager), a Kubernetes operator that simplifies the management of RoleBindings and ClusterRoleBindings. +It is designed to be **consumed by cluster repositories** as a remote base, allowing each cluster to apply **custom overrides** as needed. + +**About RBAC Manager:** + +- Automates the creation and maintenance of **Kubernetes RBAC roles and bindings** using declarative configurations. +- Introduces the `RBACDefinition` custom resource to manage multiple roles and bindings in a single YAML file. +- Simplifies access control management for users, groups, and service accounts across namespaces. +- Reduces manual errors and configuration drift by keeping RBAC resources consistent and version-controlled. +- Supports both **namespaced** and **cluster-wide** role management, making it suitable for multi-team or multi-tenant clusters. +- Commonly used to manage platform-level access, application team permissions, and read-only auditor roles. +- Improves security and governance by providing a consistent and automated approach to RBAC configuration. diff --git a/applications/base/services/rbac-manager/helm-values/hardened-values-1.21.1.yaml b/applications/base/services/rbac-manager/helm-values/hardened-values-1.21.1.yaml new file mode 100644 index 0000000..8afee3c --- /dev/null +++ b/applications/base/services/rbac-manager/helm-values/hardened-values-1.21.1.yaml @@ -0,0 +1,128 @@ +# Hardened values for rbac-manager v1.21.1 (app version v1.9.2) +# RBAC Manager for automated RBAC management +# Based on official Fairwinds chart values and documentation + +# Image configuration +image: + repository: quay.io/reactiveops/rbac-manager + tag: v1.9.2 + digest: "" + pullPolicy: Always + imagePullSecrets: [] + +# Install CRDs +installCRDs: true + +# CRD configuration +crds: + additionalLabels: + app.kubernetes.io/component: rbac-manager + app.kubernetes.io/part-of: openCenter + +# RBAC configuration +rbac: + additionalLabels: + app.kubernetes.io/component: rbac-manager + app.kubernetes.io/part-of: openCenter + +# Resource management - aligned with official defaults but with hardened limits +resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 200m # Increased from default 100m for better performance + memory: 256Mi # Increased from default 128Mi for stability + +# Priority class for system-critical workload +priorityClassName: "system-cluster-critical" + +# Node scheduling +nodeSelector: + kubernetes.io/os: linux + +# Tolerations for system nodes +tolerations: + - key: node-role.kubernetes.io/control-plane + operator: Exists + effect: NoSchedule + - key: node-role.kubernetes.io/master + operator: Exists + effect: NoSchedule + +# Affinity for better distribution +affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - rbac-manager + topologyKey: kubernetes.io/hostname + +# Pod annotations for enhanced monitoring +podAnnotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "false" + prometheus.io/scrape: "true" + prometheus.io/port: "8080" + prometheus.io/path: "/metrics" + +# Pod labels +podLabels: + app.kubernetes.io/component: rbac-manager + app.kubernetes.io/part-of: openCenter + +# Pod security context - enhanced security +podSecurityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + fsGroup: 65534 + seccompProfile: + type: RuntimeDefault + +# Container security context - official recommendations with enhancements +securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + +# Deployment labels +deploymentLabels: + app.kubernetes.io/component: rbac-manager + app.kubernetes.io/part-of: openCenter + +# Service Monitor for Prometheus - enabled with proper configuration +serviceMonitor: + enabled: true + additionalLabels: + app.kubernetes.io/component: rbac-manager + app.kubernetes.io/part-of: openCenter + annotations: + prometheus.io/scrape: "true" + namespace: rbac-system + interval: 30s + relabelings: + - sourceLabels: [__meta_kubernetes_pod_name] + targetLabel: pod + - sourceLabels: [__meta_kubernetes_namespace] + targetLabel: namespace + +# Extra arguments for enhanced functionality +extraArgs: + # Enable metrics endpoint + metrics-address: "0.0.0.0:8042" + # Set log level + v: "2" + # Enable leader election for HA + # leader-elect: "true" + # Set reconcile period + # sync-period: "30s" diff --git a/applications/base/services/rbac-manager/helmrelease.yaml b/applications/base/services/rbac-manager/helmrelease.yaml new file mode 100644 index 0000000..12a5a5a --- /dev/null +++ b/applications/base/services/rbac-manager/helmrelease.yaml @@ -0,0 +1,37 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: rbac-manager + namespace: rbac-system +spec: + releaseName: rbac-manager + interval: 5m + timeout: 10m + driftDetection: + mode: enabled + install: + remediation: + retries: 3 + remediateLastFailure: true + upgrade: + remediation: + retries: 0 + remediateLastFailure: false + targetNamespace: rbac-system + chart: + spec: + chart: rbac-manager + version: 1.21.1 + sourceRef: + kind: HelmRepository + name: fairwinds-stable + namespace: rbac-system + valuesFrom: + - kind: Secret + name: rbac-manager-values-base + valuesKey: hardened.yaml + - kind: Secret + name: rbac-manager-values-override + valuesKey: override.yaml + optional: true diff --git a/applications/base/services/rbac-manager/kustomization.yaml b/applications/base/services/rbac-manager/kustomization.yaml new file mode 100644 index 0000000..6803e6a --- /dev/null +++ b/applications/base/services/rbac-manager/kustomization.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - "namespace.yaml" + - "source.yaml" + - "helmrelease.yaml" +secretGenerator: + - name: rbac-manager-values-base + type: Opaque + files: [hardened.yaml=helm-values/hardened-values-1.21.1.yaml] + options: + disableNameSuffixHash: true diff --git a/applications/base/services/rbac-manager/namespace.yaml b/applications/base/services/rbac-manager/namespace.yaml new file mode 100644 index 0000000..c3c7921 --- /dev/null +++ b/applications/base/services/rbac-manager/namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: rbac-system diff --git a/applications/base/services/rbac-manager/rbac-definitions/kustomization.yaml b/applications/base/services/rbac-manager/rbac-definitions/kustomization.yaml new file mode 100644 index 0000000..66c6d09 --- /dev/null +++ b/applications/base/services/rbac-manager/rbac-definitions/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - oidc-rbac-templates.yaml \ No newline at end of file diff --git a/applications/base/services/rbac-manager/rbac-definitions/oidc-rbac-templates.yaml b/applications/base/services/rbac-manager/rbac-definitions/oidc-rbac-templates.yaml new file mode 100644 index 0000000..eea1707 --- /dev/null +++ b/applications/base/services/rbac-manager/rbac-definitions/oidc-rbac-templates.yaml @@ -0,0 +1,293 @@ +# RBAC Definitions for OIDC Integration +# These are example RBACDefinition custom resources that users can apply +# to automatically manage RBAC based on OIDC group membership +# +# Group Structure: +# - oidc:admins: Full cluster admin access +# - oidc:developers: Read-only cluster access +# - oidc:monitoring-users: Dashboard read-only access +# - oidc:observability-team: Comprehensive monitoring (cluster-wide) +# - oidc:platform-team: Infrastructure management +# - oidc:security-team: Audit and security namespace access +# - oidc:viewer: Read-only access to the default namespace +# - oidc:namespace-admins: Namespace creation and management +# - oidc:development-developers: Development namespace access +# - oidc:staging-developers: Staging namespace access +# - oidc:production-developers: Production namespace access +# +# Namespace Labels Required: +# - observability.openCenter.io/managed=true (for monitoring namespaces) +# - security.openCenter.io/managed=true (for security namespaces) +# - environment={development|staging|production} (for env-specific access) + +--- +# Developer access - read-only cluster access +apiVersion: rbacmanager.reactiveops.io/v1beta1 +kind: RBACDefinition +metadata: + name: oidc-developers + namespace: rbac-system +spec: + rbacBindings: + - name: developers-view-access + subjects: + - kind: Group + name: "oidc:developers" + apiGroup: rbac.authorization.k8s.io + roleRef: + kind: ClusterRole + name: view + apiGroup: rbac.authorization.k8s.io + +--- +# Admin access - full cluster admin +apiVersion: rbacmanager.reactiveops.io/v1beta1 +kind: RBACDefinition +metadata: + name: oidc-admins + namespace: rbac-system +spec: + rbacBindings: + - name: admins-cluster-admin + subjects: + - kind: Group + name: "oidc:admins" + apiGroup: rbac.authorization.k8s.io + roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io + +--- +# Namespace admins - namespace creation and management +apiVersion: rbacmanager.reactiveops.io/v1beta1 +kind: RBACDefinition +metadata: + name: oidc-namespace-admins + namespace: rbac-system +spec: + rbacBindings: + - name: namespace-creation-access + subjects: + - kind: Group + name: "oidc:namespace-admins" + apiGroup: rbac.authorization.k8s.io + roleRef: + kind: ClusterRole + name: system:namespace-admin + apiGroup: rbac.authorization.k8s.io + +--- +# Namespace developers - edit access to specific namespaces +apiVersion: rbacmanager.reactiveops.io/v1beta1 +kind: RBACDefinition +metadata: + name: oidc-namespace-developers + namespace: rbac-system +spec: + rbacBindings: + # Development namespace access + - name: dev-namespace-edit + subjects: + - kind: Group + name: "oidc:development-developers" + apiGroup: rbac.authorization.k8s.io + roleRef: + kind: ClusterRole + name: edit + apiGroup: rbac.authorization.k8s.io + namespaceSelector: + matchLabels: + environment: development + + # Staging namespace access + - name: staging-namespace-edit + subjects: + - kind: Group + name: "oidc:staging-developers" + apiGroup: rbac.authorization.k8s.io + roleRef: + kind: ClusterRole + name: edit + apiGroup: rbac.authorization.k8s.io + namespaceSelector: + matchLabels: + environment: staging + + # Production namespace access + - name: production-namespace-edit + subjects: + - kind: Group + name: "oidc:production-developers" + apiGroup: rbac.authorization.k8s.io + roleRef: + kind: ClusterRole + name: edit + apiGroup: rbac.authorization.k8s.io + namespaceSelector: + matchLabels: + environment: production + +--- +# Platform team - cluster management access +apiVersion: rbacmanager.reactiveops.io/v1beta1 +kind: RBACDefinition +metadata: + name: oidc-platform-team + namespace: rbac-system +spec: + rbacBindings: + - name: platform-infrastructure-access + subjects: + - kind: Group + name: "oidc:platform-team" + apiGroup: rbac.authorization.k8s.io + roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io + + # Allow platform team to manage RBAC + - name: platform-rbac-management + subjects: + - kind: Group + name: "oidc:platform-team" + apiGroup: rbac.authorization.k8s.io + roleRef: + kind: ClusterRole + name: rbac-manager + apiGroup: rbac.authorization.k8s.io + +--- +# Security team - audit and monitoring access +apiVersion: rbacmanager.reactiveops.io/v1beta1 +kind: RBACDefinition +metadata: + name: oidc-security-team + namespace: rbac-system +spec: + rbacBindings: + - name: security-audit-access + subjects: + - kind: Group + name: "oidc:security-team" + apiGroup: rbac.authorization.k8s.io + roleRef: + kind: ClusterRole + name: view + apiGroup: rbac.authorization.k8s.io + + # Access to security namespaces + - name: security-namespace-admin + subjects: + - kind: Group + name: "oidc:security-team" + apiGroup: rbac.authorization.k8s.io + roleRef: + kind: ClusterRole + name: admin + apiGroup: rbac.authorization.k8s.io + namespaceSelector: + matchLabels: + security.openCenter.io/managed: "true" + +--- +# Observability team - comprehensive monitoring access +apiVersion: rbacmanager.reactiveops.io/v1beta1 +kind: RBACDefinition +metadata: + name: oidc-observability-team + namespace: rbac-system +spec: + rbacBindings: + # Cluster-wide read access for monitoring all resources + - name: observability-cluster-reader + subjects: + - kind: Group + name: "oidc:observability-team" + apiGroup: rbac.authorization.k8s.io + roleRef: + kind: ClusterRole + name: cluster-reader + apiGroup: rbac.authorization.k8s.io + + # Access to monitoring CRDs and resources + - name: observability-monitoring-resources + subjects: + - kind: Group + name: "oidc:observability-team" + apiGroup: rbac.authorization.k8s.io + roleRef: + kind: ClusterRole + name: system:monitoring + apiGroup: rbac.authorization.k8s.io + + # Admin access to observability namespaces for managing monitoring tools + - name: observability-namespace-admin + subjects: + - kind: Group + name: "oidc:observability-team" + apiGroup: rbac.authorization.k8s.io + roleRef: + kind: ClusterRole + name: admin + apiGroup: rbac.authorization.k8s.io + namespaceSelector: + matchLabels: + observability.openCenter.io/managed: "true" + +--- +# Viewer access - read-only access to default namespace +apiVersion: rbacmanager.reactiveops.io/v1beta1 +kind: RBACDefinition +metadata: + name: oidc-viewer + namespace: rbac-system +spec: + rbacBindings: + - name: viewer-default-namespace + subjects: + - kind: Group + name: "oidc:viewer" + apiGroup: rbac.authorization.k8s.io + roleRef: + kind: ClusterRole + name: view + apiGroup: rbac.authorization.k8s.io + namespaceSelector: + matchLabels: + name: default + +--- +# Read-only monitoring access for developers and other teams +apiVersion: rbacmanager.reactiveops.io/v1beta1 +kind: RBACDefinition +metadata: + name: oidc-monitoring-readonly + namespace: rbac-system +spec: + rbacBindings: + # Read-only access to monitoring dashboards and metrics + - name: monitoring-dashboard-access + subjects: + - kind: Group + name: "oidc:monitoring-users" + apiGroup: rbac.authorization.k8s.io + roleRef: + kind: ClusterRole + name: view + apiGroup: rbac.authorization.k8s.io + + # Access to view monitoring resources (Grafana dashboards, etc.) + - name: monitoring-resources-view + subjects: + - kind: Group + name: "oidc:monitoring-users" + apiGroup: rbac.authorization.k8s.io + roleRef: + kind: ClusterRole + name: view + apiGroup: rbac.authorization.k8s.io + namespaceSelector: + matchLabels: + observability.openCenter.io/managed: "true" diff --git a/applications/base/services/rbac-manager/source.yaml b/applications/base/services/rbac-manager/source.yaml new file mode 100644 index 0000000..38c8c81 --- /dev/null +++ b/applications/base/services/rbac-manager/source.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: fairwinds-stable +spec: + url: https://charts.fairwinds.com/stable + interval: 1h From fa829e92108dab9f7bfb032908a89b304057886e Mon Sep 17 00:00:00 2001 From: Pratik Bandarkar Date: Thu, 9 Oct 2025 17:57:39 +0100 Subject: [PATCH 2/2] fix: fix rbac-manager values.yaml fomatting --- .../helm-values/hardened-values-1.21.1.yaml | 5 +- .../rbac-definitions/kustomization.yaml | 5 - .../rbac-definitions/oidc-rbac-templates.yaml | 293 ------------------ 3 files changed, 3 insertions(+), 300 deletions(-) delete mode 100644 applications/base/services/rbac-manager/rbac-definitions/kustomization.yaml delete mode 100644 applications/base/services/rbac-manager/rbac-definitions/oidc-rbac-templates.yaml diff --git a/applications/base/services/rbac-manager/helm-values/hardened-values-1.21.1.yaml b/applications/base/services/rbac-manager/helm-values/hardened-values-1.21.1.yaml index 8afee3c..ee6a156 100644 --- a/applications/base/services/rbac-manager/helm-values/hardened-values-1.21.1.yaml +++ b/applications/base/services/rbac-manager/helm-values/hardened-values-1.21.1.yaml @@ -1,3 +1,4 @@ +--- # Hardened values for rbac-manager v1.21.1 (app version v1.9.2) # RBAC Manager for automated RBAC management # Based on official Fairwinds chart values and documentation @@ -31,8 +32,8 @@ resources: cpu: 100m memory: 128Mi limits: - cpu: 200m # Increased from default 100m for better performance - memory: 256Mi # Increased from default 128Mi for stability + cpu: 200m + memory: 256Mi # Priority class for system-critical workload priorityClassName: "system-cluster-critical" diff --git a/applications/base/services/rbac-manager/rbac-definitions/kustomization.yaml b/applications/base/services/rbac-manager/rbac-definitions/kustomization.yaml deleted file mode 100644 index 66c6d09..0000000 --- a/applications/base/services/rbac-manager/rbac-definitions/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - oidc-rbac-templates.yaml \ No newline at end of file diff --git a/applications/base/services/rbac-manager/rbac-definitions/oidc-rbac-templates.yaml b/applications/base/services/rbac-manager/rbac-definitions/oidc-rbac-templates.yaml deleted file mode 100644 index eea1707..0000000 --- a/applications/base/services/rbac-manager/rbac-definitions/oidc-rbac-templates.yaml +++ /dev/null @@ -1,293 +0,0 @@ -# RBAC Definitions for OIDC Integration -# These are example RBACDefinition custom resources that users can apply -# to automatically manage RBAC based on OIDC group membership -# -# Group Structure: -# - oidc:admins: Full cluster admin access -# - oidc:developers: Read-only cluster access -# - oidc:monitoring-users: Dashboard read-only access -# - oidc:observability-team: Comprehensive monitoring (cluster-wide) -# - oidc:platform-team: Infrastructure management -# - oidc:security-team: Audit and security namespace access -# - oidc:viewer: Read-only access to the default namespace -# - oidc:namespace-admins: Namespace creation and management -# - oidc:development-developers: Development namespace access -# - oidc:staging-developers: Staging namespace access -# - oidc:production-developers: Production namespace access -# -# Namespace Labels Required: -# - observability.openCenter.io/managed=true (for monitoring namespaces) -# - security.openCenter.io/managed=true (for security namespaces) -# - environment={development|staging|production} (for env-specific access) - ---- -# Developer access - read-only cluster access -apiVersion: rbacmanager.reactiveops.io/v1beta1 -kind: RBACDefinition -metadata: - name: oidc-developers - namespace: rbac-system -spec: - rbacBindings: - - name: developers-view-access - subjects: - - kind: Group - name: "oidc:developers" - apiGroup: rbac.authorization.k8s.io - roleRef: - kind: ClusterRole - name: view - apiGroup: rbac.authorization.k8s.io - ---- -# Admin access - full cluster admin -apiVersion: rbacmanager.reactiveops.io/v1beta1 -kind: RBACDefinition -metadata: - name: oidc-admins - namespace: rbac-system -spec: - rbacBindings: - - name: admins-cluster-admin - subjects: - - kind: Group - name: "oidc:admins" - apiGroup: rbac.authorization.k8s.io - roleRef: - kind: ClusterRole - name: cluster-admin - apiGroup: rbac.authorization.k8s.io - ---- -# Namespace admins - namespace creation and management -apiVersion: rbacmanager.reactiveops.io/v1beta1 -kind: RBACDefinition -metadata: - name: oidc-namespace-admins - namespace: rbac-system -spec: - rbacBindings: - - name: namespace-creation-access - subjects: - - kind: Group - name: "oidc:namespace-admins" - apiGroup: rbac.authorization.k8s.io - roleRef: - kind: ClusterRole - name: system:namespace-admin - apiGroup: rbac.authorization.k8s.io - ---- -# Namespace developers - edit access to specific namespaces -apiVersion: rbacmanager.reactiveops.io/v1beta1 -kind: RBACDefinition -metadata: - name: oidc-namespace-developers - namespace: rbac-system -spec: - rbacBindings: - # Development namespace access - - name: dev-namespace-edit - subjects: - - kind: Group - name: "oidc:development-developers" - apiGroup: rbac.authorization.k8s.io - roleRef: - kind: ClusterRole - name: edit - apiGroup: rbac.authorization.k8s.io - namespaceSelector: - matchLabels: - environment: development - - # Staging namespace access - - name: staging-namespace-edit - subjects: - - kind: Group - name: "oidc:staging-developers" - apiGroup: rbac.authorization.k8s.io - roleRef: - kind: ClusterRole - name: edit - apiGroup: rbac.authorization.k8s.io - namespaceSelector: - matchLabels: - environment: staging - - # Production namespace access - - name: production-namespace-edit - subjects: - - kind: Group - name: "oidc:production-developers" - apiGroup: rbac.authorization.k8s.io - roleRef: - kind: ClusterRole - name: edit - apiGroup: rbac.authorization.k8s.io - namespaceSelector: - matchLabels: - environment: production - ---- -# Platform team - cluster management access -apiVersion: rbacmanager.reactiveops.io/v1beta1 -kind: RBACDefinition -metadata: - name: oidc-platform-team - namespace: rbac-system -spec: - rbacBindings: - - name: platform-infrastructure-access - subjects: - - kind: Group - name: "oidc:platform-team" - apiGroup: rbac.authorization.k8s.io - roleRef: - kind: ClusterRole - name: cluster-admin - apiGroup: rbac.authorization.k8s.io - - # Allow platform team to manage RBAC - - name: platform-rbac-management - subjects: - - kind: Group - name: "oidc:platform-team" - apiGroup: rbac.authorization.k8s.io - roleRef: - kind: ClusterRole - name: rbac-manager - apiGroup: rbac.authorization.k8s.io - ---- -# Security team - audit and monitoring access -apiVersion: rbacmanager.reactiveops.io/v1beta1 -kind: RBACDefinition -metadata: - name: oidc-security-team - namespace: rbac-system -spec: - rbacBindings: - - name: security-audit-access - subjects: - - kind: Group - name: "oidc:security-team" - apiGroup: rbac.authorization.k8s.io - roleRef: - kind: ClusterRole - name: view - apiGroup: rbac.authorization.k8s.io - - # Access to security namespaces - - name: security-namespace-admin - subjects: - - kind: Group - name: "oidc:security-team" - apiGroup: rbac.authorization.k8s.io - roleRef: - kind: ClusterRole - name: admin - apiGroup: rbac.authorization.k8s.io - namespaceSelector: - matchLabels: - security.openCenter.io/managed: "true" - ---- -# Observability team - comprehensive monitoring access -apiVersion: rbacmanager.reactiveops.io/v1beta1 -kind: RBACDefinition -metadata: - name: oidc-observability-team - namespace: rbac-system -spec: - rbacBindings: - # Cluster-wide read access for monitoring all resources - - name: observability-cluster-reader - subjects: - - kind: Group - name: "oidc:observability-team" - apiGroup: rbac.authorization.k8s.io - roleRef: - kind: ClusterRole - name: cluster-reader - apiGroup: rbac.authorization.k8s.io - - # Access to monitoring CRDs and resources - - name: observability-monitoring-resources - subjects: - - kind: Group - name: "oidc:observability-team" - apiGroup: rbac.authorization.k8s.io - roleRef: - kind: ClusterRole - name: system:monitoring - apiGroup: rbac.authorization.k8s.io - - # Admin access to observability namespaces for managing monitoring tools - - name: observability-namespace-admin - subjects: - - kind: Group - name: "oidc:observability-team" - apiGroup: rbac.authorization.k8s.io - roleRef: - kind: ClusterRole - name: admin - apiGroup: rbac.authorization.k8s.io - namespaceSelector: - matchLabels: - observability.openCenter.io/managed: "true" - ---- -# Viewer access - read-only access to default namespace -apiVersion: rbacmanager.reactiveops.io/v1beta1 -kind: RBACDefinition -metadata: - name: oidc-viewer - namespace: rbac-system -spec: - rbacBindings: - - name: viewer-default-namespace - subjects: - - kind: Group - name: "oidc:viewer" - apiGroup: rbac.authorization.k8s.io - roleRef: - kind: ClusterRole - name: view - apiGroup: rbac.authorization.k8s.io - namespaceSelector: - matchLabels: - name: default - ---- -# Read-only monitoring access for developers and other teams -apiVersion: rbacmanager.reactiveops.io/v1beta1 -kind: RBACDefinition -metadata: - name: oidc-monitoring-readonly - namespace: rbac-system -spec: - rbacBindings: - # Read-only access to monitoring dashboards and metrics - - name: monitoring-dashboard-access - subjects: - - kind: Group - name: "oidc:monitoring-users" - apiGroup: rbac.authorization.k8s.io - roleRef: - kind: ClusterRole - name: view - apiGroup: rbac.authorization.k8s.io - - # Access to view monitoring resources (Grafana dashboards, etc.) - - name: monitoring-resources-view - subjects: - - kind: Group - name: "oidc:monitoring-users" - apiGroup: rbac.authorization.k8s.io - roleRef: - kind: ClusterRole - name: view - apiGroup: rbac.authorization.k8s.io - namespaceSelector: - matchLabels: - observability.openCenter.io/managed: "true"