commit b13b7ffcdb3d37022d4cad4603b9bdacc6c54936
author Sergiusz Bazanski <q3k@hackerspace.pl> Thu Aug 29 20:12:24 2019 +0200
committer Sergiusz Bazanski <q3k@hackerspace.pl> Fri Aug 30 23:08:18 2019 +0200
tree fa2309b04edc36fe855f9e344dae4a91ef376add
parent d16454badc639bcec7ab4b54e7fe6a897b6052af

prod{access,vider}: implement

Prodaccess/Prodvider allow issuing short-lived certificates for all SSO
users to access the kubernetes cluster.

Currently, all users get a personal-$username namespace in which they
have adminitrative rights. Otherwise, they get no access.

In addition, we define a static CRB to allow some admins access to
everything. In the future, this will be more granular.

We also update relevant documentation.

Change-Id: Ia18594eea8a9e5efbb3e9a25a04a28bbd6a42153

cluster/kube/lib/registry.libsonnet

diff --git a/cluster/kube/lib/registry.libsonnet b/cluster/kube/lib/registry.libsonnet
index 1ce022d..a791acf 100644
--- a/cluster/kube/lib/registry.libsonnet
+++ b/cluster/kube/lib/registry.libsonnet
@@ -152,11 +152,12 @@
                     },
                     local data = self,
                     pushers:: [
-                            { who: ["q3k", "inf"], what: "vms/*" },
-                            { who: ["q3k", "inf"], what: "app/*" },
-                            { who: ["q3k", "inf"], what: "go/svc/*" },
+                            { who: ["q3k", "informatic"], what: "vms/*" },
+                            { who: ["q3k", "informatic"], what: "app/*" },
+                            { who: ["q3k", "informatic"], what: "go/svc/*" },
                             { who: ["q3k"], what: "bgpwtf/*" },
                             { who: ["q3k"], what: "devtools/*" },
+                            { who: ["q3k", "informatic"], what: "cluster/*" },
                     ],
                     acl: [
                         {