Jef Practice: Reusable RBAC to setup team namespace for self-service monitoring

jspaleta · June 5, 2019, 8:15pm

Here’s a practical example of using RBAC to provide self-service monitoring for distinct teams in your organization using a single Sensu server configuration. The premise is each team will be running its own agents and will need its own check,assets, and handlers… all the things in a self-service manner…without bumping into each other.

Before diving in to this practical example, take a look at this blog post describing how Sensu RBAC works: https://blog.sensu.io/understanding-rbac-in-sensu-go

Here’s a Sensu role / role-binding pattern I like to follow when namespaces for teams.
I keep these handy as a single yaml file…and when I need to apply it to a new team I just do a quick find replace on <<namspace>> in line with sed before sending it to sensuctl create
Here’s a gist link to the file:

gist.github.com

https://gist.github.com/jspaleta/aa7d6a09e7f54d27298c079842e0b640

namespace-setup.yaml

---
type: Namespace
api_version: core/v2
metadata: {}
spec:
  name: <<namespace>>
---
type: Role
api_version: core/v2
metadata:

This file has been truncated. show original

Or when integrating with a config/change management system, use this yaml as a template for the cm to use to establish a new namespace resource collection.

Here’s run down of my team namespace pattern.

Create the Sensu namespace
this is pretty self-explanatory
Create Namespace Roles: Admin,Operator,Viewer

The Admin role has full access to all resources in the namespace, including roles and role-bindings.
The Operator has full access to most things, except the RBAC resources…so they can’t add or remove access to the namespace resources.
The Viewer has read access to everything in the namespace, but can’t make any changes.

Create Role Bindings using Associated Groups for each role:
Note I’m making role bindings for both sensu defined groups and ldap groups as separate rules.
I have my LDAP authentication configured to use the ldap: prefix to indicate which groups are defined in ldap, to distinguish them from Sensu defined groups. The ldap integration is a Sensu Enterprise feature, but if you aren’t using Sensu Enterprise, you don’t have to worry about the ldap: version of these role-binding rules, everything will still work with sensu defined users, as long as those users are in one of these groups.
Add users to groups
For enterprise users, this probably means working with your LDAP or AD server and putting users in the correct groups there. For Sensu OSS users, you can adjust Sensu user definitions and defined groups as neeed. In Sensu, groups are an implied resource, defined only in the scope of users. So as soon as you add your first user to a group, that group effective exists.

The generic config file I provided above takes care of 1-3. You still have to populate the users into the corresponding groups that are associated with the role bindings either in Sensu or in your LDAP/AD server.

Topic		Replies	Views
How to monitor multiple environments in sensugo Sensu Go	7	440	September 4, 2019
Webinar Q/A: reusing resources across namespaces Sensu Go	0	450	May 30, 2019
Proxy entities, multiple namespaces, sensu-agent on a single namespace Getting Started sensu-go	1	764	July 7, 2020
Sensu AD configuration Sensu Go	4	372	June 16, 2021
Global Catalog Sensu Flow (Feature Request) Sensu Go	2	255	March 17, 2021

Jef Practice: Reusable RBAC to setup team namespace for self-service monitoring

Related Topics