forked from hswaw/hscloud
cluster/registry: fix common namespaces
Public pull ACL in the middle had priority over our more specific rules - moving these to the top fixes common registry namespace ACLs. Change-Id: Ia6f05cef09c0db4eb71155d2c0e2d9944b81f903 Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1522 Reviewed-by: q3k <q3k@hackerspace.pl>
This commit is contained in:
parent
2e632b9247
commit
10384cd394
1 changed files with 10 additions and 10 deletions
|
@ -161,6 +161,16 @@ local kube = import "../../../kube/kube.libsonnet";
|
|||
{ who: ["q3k", "informatic"], what: "cluster/*" },
|
||||
],
|
||||
acl: [
|
||||
{
|
||||
match: {
|
||||
account: "/(%s)/" % std.join("|", p.who),
|
||||
name: p.what,
|
||||
},
|
||||
actions: ["*"],
|
||||
comment: "%s can push to %s" % [std.join(", ", p.who), p.what],
|
||||
}
|
||||
for p in data.pushers
|
||||
] + [
|
||||
{
|
||||
match: {account: "/.+/", name: "${account}/*"},
|
||||
actions: ["*"],
|
||||
|
@ -176,16 +186,6 @@ local kube = import "../../../kube/kube.libsonnet";
|
|||
actions: ["pull"],
|
||||
comment: "Anyone can pull all images.",
|
||||
},
|
||||
] + [
|
||||
{
|
||||
match: {
|
||||
account: "/(%s)/" % std.join("|", p.who),
|
||||
name: p.what,
|
||||
},
|
||||
actions: ["*"],
|
||||
comment: "%s can push to %s" % [std.join(", ", p.who), p.what],
|
||||
}
|
||||
for p in data.pushers
|
||||
],
|
||||
}),
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue