feat(scripts): add script to create users

Also, added `ClusterRoles` for use with this script.

Signed-off-by: Bradley Reynolds <[email protected]>
Signed-off-by: Siddhesh Mhadnak <[email protected]>

.gitignore

@@ -1,5 +1,8 @@
-# Secrets
-secrets.yaml
-
-# Helm
-kubernetes/chart/charts/*.tgz
+# Secrets
+secrets.yaml
+
+# Helm
+kubernetes/chart/charts/*.tgz
+
+# Generated kube configs
+*.config

kubernetes/manifests/_/rbac/cluster-roles/vipyrsec-admins.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+
+metadata:
+  name: vipyrsec-admins
+
+rules:
+  - apiGroups:
+      - '*'
+    resources:
+      - '*'
+    verbs:
+      - '*'
+  - nonResourceURLs:
+      - '*'
+    verbs:
+      - '*'

kubernetes/manifests/_/rbac/cluster-roles/vipyrsec-core-devs.yaml

@@ -0,0 +1,52 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+
+metadata:
+  name: vipyrsec-core-devs
+
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - pods
+      - services
+      - configmaps
+      - secrets
+    verbs:
+      - list
+      - get
+      - patch
+      - update
+
+  - apiGroups:
+      - apps
+    resources:
+      - daemonsets
+      - replicasets
+      - deployments
+    verbs:
+      - list
+      - get
+      - patch
+      - update
+
+  - apiGroups:
+      - batch
+    resources:
+      - jobs
+    verbs:
+      - list
+      - get
+      - patch
+      - update
+
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingresses
+    verbs:
+      - list
+      - get
+      - patch
+      - update

kubernetes/manifests/_/rbac/cluster-roles/vipyrsec.yaml

@@ -0,0 +1,40 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+
+metadata:
+  name: vipyrsec
+
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - pods
+      - services
+      - configmaps
+      - secrets
+    verbs:
+      - list
+
+  - apiGroups:
+      - apps
+    resources:
+      - daemonsets
+      - replicasets
+      - deployments
+    verbs:
+      - list
+
+  - apiGroups:
+      - batch
+    resources:
+      - jobs
+    verbs:
+      - list
+
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingresses
+    verbs:
+      - list

kubernetes/rbac/README.md

@@ -0,0 +1,65 @@
+# Kubernetes RBAC
+
+## Create a user
+
+> [!IMPORTANT]
+> Make sure to set the `kubectl` context to the cluster to which you want to add the user!
+
+```bash
+./create_user.py <user> -g <group>
+```
+
+This will,
+
+1. Create a private key for the user
+2. Provision a client certificate for the user using the private key
+3. Grant the permissions for the requested groups to the user
+4. Generate a kubeconfig using the private key, and the client certificate for use with `kubectl`
+
+### Examples
+
+1. Create a user `foo` with group `vipyrsec`
+
+```bash
+./create_user.py foo -g vipyrsec -g vipyrsec-core-devs
+```
+
+2. Create a user `bar` with groups `vipyrsec`, and `vipyrsec-admins` with a day's validity
+
+```bash
+./create_user.py bar -g vipyrsec -g vipyrsec-core-devs --expiry-seconds 86400
+```
+
+## Revoke a user's access granted by a specific role
+
+> [!IMPORTANT]
+> Make sure to set the `kubectl` context to the cluster from which you want to revoke the user's access!
+
+```bash
+kubectl delete clusterrolebinding <user>@<group>
+```
+
+### Example
+
+Revoke user `foo`'s access granted by `vipyrsec-core-devs`
+
+```bash
+kubectl delete clusterrolebinding foo@vipyrsec-core-devs
+```
+
+## Revoke all permissions granted to a user (AKA, delete the user)
+
+> [!IMPORTANT]
+> Make sure to set the `kubectl` context to the cluster from which you want to revoke the user's access!
+
+```bash
+kubectl delete clusterrolebinding -luser=<user>
+```
+
+### Example
+
+Revoke all permissions granted to user `foo`
+
+```bash
+kubectl delete clusterrolebinding -luser=foo
+```