feat: m2m service-group read access path for kubeconfig configurable ttl (#136)

togashidm · web-flow · commit 5551f1f42133 · 2025-10-06T10:43:30.000+01:00
diff --git a/deployment/charts/cluster-connect-gateway/files/openpolicyagent/policy.rego b/deployment/charts/cluster-connect-gateway/files/openpolicyagent/policy.rego
@@ -12,3 +12,11 @@ allow if {
 role := sprintf("%s_cl-rw", [input.project_id])
 
 have_role if role == input.realm_access.roles[_]
+
+allow if service_group_access
+
+service_group_access if {
+	"apps-m2m-service-account" in input.groups
+	"clusters-read-role" in input.realm_access.roles
+	input.preferred_username == "service-account-co-manager-m2m-client"
+}
