Crossplane Composition RBAC ABAC Policy —

Crossplane RBAC ABAC

Crossplane Composition RBAC ABAC Policy Infrastructure as Code Kubernetes CRD Claim Multi-tenant OPA Kyverno Access Control Platform API Cloud Resources

Policy Engine	Language	Complexity	K8s Native	เหมาะกับ
OPA Gatekeeper	Rego	สูง	Admission	Complex Policy
Kyverno	YAML	ต่ำ	Admission + Mutation	Simple Policy
K8s RBAC	YAML	ต่ำ	Built-in	Who can do what
CEL	Expression	ปานกลาง	ValidatingAdmissionPolicy	Simple Validation

Crossplane Composition

=== Crossplane Composition ===

CompositeResourceDefinition (XRD)

apiVersion: apiextensions.crossplane.io/v1

kind: CompositeResourceDefinition

metadata:

spec:

group: platform.example.com

names:

kind: Database

plural: databases

claimNames:

kind: DatabaseClaim

plural: databaseclaims

versions:

name: v1alpha1

served: true

reachable: true

schema:

openAPIV3Schema:

type: object

properties:

spec:

type: object

properties:

engine:

type: string

enum: [postgres, mysql]

size:

type: string

enum: [small, medium, large]

environment:

type: string

enum: [dev, staging, prod]

เนื้อหาเกี่ยวข้อง — ทำความเข้าใจ โอนเงินจากกสิกรไปออมสินเงินไม่เข้า

Composition

apiVersion: apiextensions.crossplane.io/v1

kind: Composition

metadata:

spec:

compositeTypeRef:

apiVersion: platform.example.com/v1alpha1

kind: Database

แนะนำเพิ่มเติม — ติดตาม XM Signal

resources:

name: rds-instance

base:

apiVersion: rds.aws.upbound.io/v1beta1

kind: Instance

spec:

forProvider:

engine: postgres

instanceClass: db.t3.medium

allocatedStorage: 20

name: security-group

base:

apiVersion: ec2.aws.upbound.io/v1beta1

kind: SecurityGroup

Claim (Developer uses this)

apiVersion: platform.example.com/v1alpha1

kind: DatabaseClaim

metadata:

namespace: team-alpha

spec:

engine: postgres

size: medium

เนื้อหาเกี่ยวข้อง — อ่านต่อ: swift code ttb ดูตรงไหน

environment: dev

from dataclasses import dataclass

@dataclass

class Composition:

resources: int

providers: str

claims: int

teams: int

compositions = [

Composition("Database", 4, "AWS RDS, SG, Subnet, SSM", 12, 5),

Composition("Kubernetes Cluster", 8, "EKS, VPC, IAM, NodeGroup", 3, 2),

Composition("Storage Bucket", 2, "S3, IAM Policy", 25, 8),

แนะนำเพิ่มเติม — เรียนเทรดกับ iCafeForex

Composition("Redis Cache", 3, "ElastiCache, SG, Subnet", 8, 4),

Composition("VPC Network", 6, "VPC, Subnet, IGW, NAT, RT", 5, 3),

]

print("=== Compositions ===")

for c in compositions:

print(f" [{c.name}] {c.resources} resources")

print(f" Providers: {c.providers}")

print(f" Active Claims: {c.claims} | Teams: {c.teams}")

RBAC ABAC Policy

=== RBAC + ABAC Policy ===

Kubernetes RBAC for Crossplane Claims

เนื้อหาเกี่ยวข้อง — Data Driven Organization Structure —

apiVersion: rbac.authorization.k8s.io/v1

kind: Role

metadata:

namespace: team-alpha

rules:

apiGroups: ["platform.example.com"]

resources: ["databaseclaims"]

verbs: ["get", "list", "create", "update", "delete"]

apiGroups: ["platform.example.com"]

resources: ["storagebucketclaims"]

verbs: ["get", "list", "create"]

Kyverno Policy — Enforce Labels and Limits

apiVersion: kyverno.io/v1

kind: ClusterPolicy

metadata:

spec:

rules:

name: require-team-label

match:

resources:

kinds: ["DatabaseClaim", "StorageBucketClaim"]

validate:

message: "Claims must have team and cost-center labels"

pattern:

metadata:

labels:

team: "?*"

cost-center: "?*"

name: restrict-prod-size

match:

resources:

kinds: ["DatabaseClaim"]

preconditions:

key: "{{request.object.spec.environment}}"

operator: Equals

value: "dev"

validate:

message: "Dev environment only allows small/medium"

เนื้อหาเกี่ยวข้อง — อ่านต่อ: Vector Database Pinecone Remote Work Setup —

pattern:

spec:

size: "small | medium"

@dataclass

class PolicyRule:

type: str

scope: str

action: str

violations_30d: int

policies = [

PolicyRule("Require Team Label", "Validation", "All Claims", "Block", 5),

PolicyRule("Dev Size Limit", "Validation", "DatabaseClaim (dev)", "Block", 8),

PolicyRule("Prod Approval Required", "Validation", "All Claims (prod)", "Block + Alert", 2),

PolicyRule("Budget Limit per Team", "ABAC", "All Claims", "Block at limit", 3),

PolicyRule("Naming Convention", "Mutation", "All Claims", "Auto-fix", 15),

PolicyRule("Auto-add Tags", "Mutation", "All Resources", "Inject tags", 0),

]

print("\n=== Policy Rules ===")

for p in policies:

print(f" [{p.type}] {p.name}")

print(f" Scope: {p.scope} | Action: {p.action} | Violations: {p.violations_30d}")

Multi-tenant Architecture

# === Multi-tenant Crossplane ===



# Namespace per Team

# kubectl create namespace team-alpha

# kubectl create namespace team-beta

# kubectl create namespace team-gamma



# RoleBinding per Team

# apiVersion: rbac.authorization.k8s.io/v1

# kind: RoleBinding

# metadata:

#   name: team-alpha-db-access

#   namespace: team-alpha

# subjects:

#   - kind: Group

#     name: team-alpha

#     apiGroup: rbac.authorization.k8s.io

# roleRef:

#   kind: Role

#   name: database-user

#   apiGroup: rbac.authorization.k8s.io



# Budget Tracking per Team

# OPA Rego Policy:

# package crossplane.budget

# deny[msg] {

#   input.review.object.kind == "DatabaseClaim"

#   team := input.review.object.metadata.labels.team

#   current_cost := data.budgets[team].current

#   limit := data.budgets[team].limit

#   current_cost > limit

#   msg := sprintf("Team %s exceeded budget: $%d/$%d", [team, current_cost, limit])

# }



@dataclass

class TeamQuota:

    team: str

    namespace: str

    db_limit: int

    db_used: int

    budget: float

    spent: float

    members: int



teams = [

    TeamQuota("Alpha", "team-alpha", 5, 3, 5000, 3200, 8),

    TeamQuota("Beta", "team-beta", 3, 2, 3000, 1800, 5),

    TeamQuota("Gamma", "team-gamma", 10, 7, 10000, 7500, 15),

    TeamQuota("Platform", "team-platform", 20, 12, 20000, 14000, 10),

]



print("Multi-tenant Dashboard:")

for t in teams:

    db_pct = t.db_used / t.db_limit * 100

    budget_pct = t.spent / t.budget * 100

    print(f"  [{t.team}] ns: {t.namespace} | Members: {t.members}")

    print(f"    DB: {t.db_used}/{t.db_limit} ({db_pct:.0f}%) | Budget: / ({budget_pct:.0f}%)")



audit_checklist = [

    "RBAC: แต่ละ Team ใช้ได้เฉพาะ Namespace ตัวเอง",

    "Policy: บังคับ Labels Team Cost-center ทุก Claim",

    "Quota: จำกัด Resource ต่อ Team",

    "Budget: Alert เมื่อใช้ 80% Block เมื่อ 100%",

    "Audit: Log ทุก Create/Update/Delete Resource",

    "Network: แยก VPC/Subnet ต่อ Environment",

    "Encryption: เข้ารหัส Secrets ทุกตัว",

]



print(f"\n\nAudit Checklist:")

for i, c in enumerate(audit_checklist, 1):

    print(f"  {i}. {c}")

เคล็ดลับ

Composition: สร้าง Composition ซ่อนความซับซ้อนจาก Dev
RBAC: ใช้ K8s RBAC จำกัดสิทธิ์ต่อ Namespace
Kyverno: ใช้ Kyverno สำหรับ Policy ง่ายกว่า OPA
Labels: บังคับ Labels ทุก Claim สำหรับ Cost Tracking
Budget: ตั้ง Budget Limit ต่อ Team ป้องกันบานปลาย

Crossplane Composition คืออะไร

รวม Cloud Resources เป็น API เดียว CRD Claim Developer ไม่ต้องรู้ Cloud RDS SG Subnet SSM Platform API Kubernetes

Crossplane Composition RBAC ABAC Policy —

Crossplane RBAC ABAC

Crossplane Composition

metadata:

spec:

names:

claimNames:

versions:

schema:

openAPIV3Schema:

properties:

spec:

properties:

engine:

size:

environment:

metadata:

spec:

compositeTypeRef:

resources:

base:

spec:

forProvider:

base:

metadata:

spec:

class Composition:

for c in compositions:

RBAC ABAC Policy

metadata:

rules:

metadata:

spec:

rules:

match:

resources:

validate:

pattern:

metadata:

labels:

match:

resources:

preconditions:

validate:

pattern:

spec:

class PolicyRule:

for p in policies:

Multi-tenant Architecture

เคล็ดลับ

Crossplane Composition คืออะไร

บทความที่เกี่ยวข้อง

แนะนำจากเครือข่าย SiamCafe

บทความที่เกี่ยวข้อง