71 lines
2.1 KiB
YAML
71 lines
2.1 KiB
YAML
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: generate-authelia-acl
|
|
annotations:
|
|
policies.kyverno.io/title: Generate Authelia ACL
|
|
policies.kyverno.io/category: Other
|
|
policies.kyverno.io/severity: medium
|
|
policies.kyverno.io/subject: Secret
|
|
kyverno.io/kyverno-version: 1.7.0
|
|
policies.kyverno.io/minversion: 1.7.0
|
|
kyverno.io/kubernetes-version: "1.23"
|
|
spec:
|
|
rules:
|
|
- name: update-from-base
|
|
match:
|
|
any:
|
|
- resources:
|
|
kinds:
|
|
- Secret
|
|
name: authelia-acl
|
|
namespaces:
|
|
- authelia
|
|
context:
|
|
- name: rules
|
|
apiCall:
|
|
urlPath: "/api/v1/configmaps"
|
|
jmesPath: 'join('''', items[?metadata.annotations."config.huizinga.dev/fragment"==''authelia-acl''].data.rules)'
|
|
mutate:
|
|
patchStrategicMerge:
|
|
stringData:
|
|
"configuration.acl.yaml": |
|
|
access_control:
|
|
rules:
|
|
{{ replace_all(base64_decode(request.object.data.rules || ''), '
|
|
', '
|
|
') }}{{ replace_all(rules, '
|
|
', '
|
|
') }}
|
|
|
|
- name: update-from-fragment
|
|
match:
|
|
any:
|
|
- resources:
|
|
kinds:
|
|
- ConfigMap
|
|
annotations:
|
|
config.huizinga.dev/generate: authelia-acl
|
|
context:
|
|
- name: rules
|
|
apiCall:
|
|
urlPath: "/api/v1/configmaps"
|
|
jmesPath: 'join('''', items[?metadata.annotations."config.huizinga.dev/fragment"==''authelia-acl''].data.rules)'
|
|
mutate:
|
|
mutateExistingOnPolicyUpdate: true
|
|
targets:
|
|
- apiVersion: v1
|
|
kind: Secret
|
|
name: authelia-acl
|
|
namespace: authelia
|
|
patchStrategicMerge:
|
|
stringData:
|
|
"configuration.acl.yaml": |
|
|
access_control:
|
|
rules:
|
|
{{ replace_all(base64_decode(target.data.rules || ''), '
|
|
', '
|
|
') }}{{ replace_all(rules, '
|
|
', '
|
|
') }}
|