d-bis/Sankofa
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
Sankofa/gitops/base/rbac/tenant-rbac.yaml
defiQUG 9daf1fd378 Apply Composer changes: comprehensive API updates, migrations, middleware, and infrastructure improvements 
- Add comprehensive database migrations (001-024) for schema evolution
- Enhance API schema with expanded type definitions and resolvers
- Add new middleware: audit logging, rate limiting, MFA enforcement, security, tenant auth
- Implement new services: AI optimization, billing, blockchain, compliance, marketplace
- Add adapter layer for cloud integrations (Cloudflare, Kubernetes, Proxmox, storage)
- Update Crossplane provider with enhanced VM management capabilities
- Add comprehensive test suite for API endpoints and services
- Update frontend components with improved GraphQL subscriptions and real-time updates
- Enhance security configurations and headers (CSP, CORS, etc.)
- Update documentation and configuration files
- Add new CI/CD workflows and validation scripts
- Implement design system improvements and UI enhancements
2025-12-12 18:01:35 -08:00

98 lines
2.9 KiB
YAML
Raw Permalink Blame History

# Tenant RBAC - More granular than Azure RBAC
# Fine-grained permissions beyond Azure's role-based access
# Tenant Owner Role - Full control over tenant
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: tenant-owner
namespace: tenant-template
rules:
- apiGroups: [""]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["apps"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["networking.k8s.io"]
resources: ["*"]
verbs: ["*"]
---
# Tenant Admin Role - Administrative access
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: tenant-admin
namespace: tenant-template
rules:
- apiGroups: [""]
resources: ["pods", "services", "configmaps", "secrets", "persistentvolumeclaims"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["apps"]
resources: ["deployments", "statefulsets", "daemonsets"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["networking.k8s.io"]
resources: ["networkpolicies", "ingresses"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
# Tenant User Role - Standard access
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: tenant-user
namespace: tenant-template
rules:
- apiGroups: [""]
resources: ["pods", "services", "configmaps"]
verbs: ["get", "list", "watch", "create", "update", "patch"]
- apiGroups: ["apps"]
resources: ["deployments", "statefulsets"]
verbs: ["get", "list", "watch", "create", "update", "patch"]
---
# Tenant Viewer Role - Read-only access
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: tenant-viewer
namespace: tenant-template
rules:
- apiGroups: [""]
resources: ["*"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["*"]
verbs: ["get", "list", "watch"]
---
# Tenant Billing Admin Role - Billing management
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: tenant-billing-admin
namespace: tenant-template
rules:
- apiGroups: [""]
resources: ["pods", "services"]
verbs: ["get", "list", "watch"] # Read-only for billing calculations
- apiGroups: ["apps"]
resources: ["deployments", "statefulsets"]
verbs: ["get", "list", "watch"]
---
# RoleBinding Template
# This would be created per tenant user
# NOTE: This is a template file. USER_EMAIL_PLACEHOLDER should be replaced with actual user email
# when creating RoleBindings. Use the tenant RBAC automation script or controller to process this template.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tenant-user-binding-template
namespace: tenant-template
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: tenant-user # Change based on user role (tenant-owner, tenant-admin, tenant-user, tenant-viewer, tenant-billing-admin)
subjects:
- kind: User
name: "USER_EMAIL_PLACEHOLDER" # Replace with actual user email (e.g., user@example.com)
apiGroup: rbac.authorization.k8s.io
Reference in New Issue View Git Blame Copy Permalink