Add tag:k8s for Kubernetes workloads (Phase 1 Step 1)
Added: - tag:k8s to tagOwners for k8s workload management - Grant for tag:k8s -> tag:registry access (for CI pushing images) - ACL test case for k8s registry access Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
parent
0db4abe64d
commit
4ef8e24ec6
1 changed files with 14 additions and 0 deletions
|
|
@ -59,6 +59,14 @@
|
|||
"dst": ["tag:nas"],
|
||||
"ip": ["*"],
|
||||
},
|
||||
|
||||
// --- Kubernetes workloads ---
|
||||
// k8s workloads (e.g., Woodpecker CI) can push/pull from registry
|
||||
{
|
||||
"src": ["tag:k8s"],
|
||||
"dst": ["tag:registry"],
|
||||
"ip": ["tcp:443"],
|
||||
},
|
||||
],
|
||||
|
||||
// ============== SSH Access ==============
|
||||
|
|
@ -103,6 +111,7 @@
|
|||
"tag:feed": ["autogroup:admin", "tag:blumeops"],
|
||||
"tag:registry": ["autogroup:admin", "tag:blumeops"],
|
||||
"tag:k8s-api": ["autogroup:admin", "tag:blumeops"],
|
||||
"tag:k8s": ["autogroup:admin", "tag:blumeops"],
|
||||
},
|
||||
|
||||
// ============== ACL Tests ==============
|
||||
|
|
@ -123,5 +132,10 @@
|
|||
"src": "tag:homelab",
|
||||
"accept": ["tag:homelab:22", "tag:nas:445"],
|
||||
},
|
||||
// K8s workloads can reach registry
|
||||
{
|
||||
"src": "tag:k8s",
|
||||
"accept": ["tag:registry:443"],
|
||||
},
|
||||
],
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue