hswaw
/
hscloud
mirror of https://gerrit.hackerspace.pl/hscloud
4
0
Fork 2
Code Actions

cluster/registry: fix common namespaces 

Public pull ACL in the middle had priority over our more specific rules
- moving these to the top fixes common registry namespace ACLs.

Change-Id: Ia6f05cef09c0db4eb71155d2c0e2d9944b81f903
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1522
Reviewed-by: q3k <q3k@hackerspace.pl>
changes/22/1522/2
informatic 2023-06-20 00:42:15 +02:00 committed by informatic
parent 2e632b9247
commit 10384cd394
1 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
cluster/kube/lib/registry.libsonnet
View File

@ -161,6 +161,16 @@ local kube = import "../../../kube/kube.libsonnet";
{ who: ["q3k", "informatic"], what: "cluster/*" },
],
acl: [
{
match: {
account: "/(%s)/" % std.join("|", p.who),
name: p.what,
},
actions: ["*"],
comment: "%s can push to %s" % [std.join(", ", p.who), p.what],
}
for p in data.pushers
] + [
{
match: {account: "/.+/", name: "${account}/*"},
actions: ["*"],
@ -176,16 +186,6 @@ local kube = import "../../../kube/kube.libsonnet";
actions: ["pull"],
comment: "Anyone can pull all images.",
},
] + [
{
match: {
account: "/(%s)/" % std.join("|", p.who),
name: p.what,
},
actions: ["*"],
comment: "%s can push to %s" % [std.join(", ", p.who), p.what],
}
for p in data.pushers
],
}),
}