From 10384cd39412cd0ab3094248de3c691b6174fa65 Mon Sep 17 00:00:00 2001 From: Piotr Dobrowolski Date: Tue, 20 Jun 2023 00:42:15 +0200 Subject: [PATCH] cluster/registry: fix common namespaces Public pull ACL in the middle had priority over our more specific rules - moving these to the top fixes common registry namespace ACLs. Change-Id: Ia6f05cef09c0db4eb71155d2c0e2d9944b81f903 Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1522 Reviewed-by: q3k --- cluster/kube/lib/registry.libsonnet | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/cluster/kube/lib/registry.libsonnet b/cluster/kube/lib/registry.libsonnet index d26d0fdb..8142855f 100644 --- a/cluster/kube/lib/registry.libsonnet +++ b/cluster/kube/lib/registry.libsonnet @@ -161,6 +161,16 @@ local kube = import "../../../kube/kube.libsonnet"; { who: ["q3k", "informatic"], what: "cluster/*" }, ], acl: [ + { + match: { + account: "/(%s)/" % std.join("|", p.who), + name: p.what, + }, + actions: ["*"], + comment: "%s can push to %s" % [std.join(", ", p.who), p.what], + } + for p in data.pushers + ] + [ { match: {account: "/.+/", name: "${account}/*"}, actions: ["*"], @@ -176,16 +186,6 @@ local kube = import "../../../kube/kube.libsonnet"; actions: ["pull"], comment: "Anyone can pull all images.", }, - ] + [ - { - match: { - account: "/(%s)/" % std.join("|", p.who), - name: p.what, - }, - actions: ["*"], - comment: "%s can push to %s" % [std.join(", ", p.who), p.what], - } - for p in data.pushers ], }), }