cluster/registry: fix common namespaces
Public pull ACL in the middle had priority over our more specific rules
- moving these to the top fixes common registry namespace ACLs.
Change-Id: Ia6f05cef09c0db4eb71155d2c0e2d9944b81f903
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1522
Reviewed-by: q3k <q3k@hackerspace.pl>
diff --git a/cluster/kube/lib/registry.libsonnet b/cluster/kube/lib/registry.libsonnet
index d26d0fd..8142855 100644
--- a/cluster/kube/lib/registry.libsonnet
+++ b/cluster/kube/lib/registry.libsonnet
@@ -162,6 +162,16 @@
],
acl: [
{
+ match: {
+ account: "/(%s)/" % std.join("|", p.who),
+ name: p.what,
+ },
+ actions: ["*"],
+ comment: "%s can push to %s" % [std.join(", ", p.who), p.what],
+ }
+ for p in data.pushers
+ ] + [
+ {
match: {account: "/.+/", name: "${account}/*"},
actions: ["*"],
comment: "Logged in users have full access to images that are in their 'namespace'",
@@ -176,16 +186,6 @@
actions: ["pull"],
comment: "Anyone can pull all images.",
},
- ] + [
- {
- match: {
- account: "/(%s)/" % std.join("|", p.who),
- name: p.what,
- },
- actions: ["*"],
- comment: "%s can push to %s" % [std.join(", ", p.who), p.what],
- }
- for p in data.pushers
],
}),
}