65 lines
1.2 KiB
YAML
65 lines
1.2 KiB
YAML
profile: readonly
|
|
description: Read-only access profile for monitoring and auditing
|
|
version: 1.0.0
|
|
restricted: true
|
|
|
|
# Read-only permissions
|
|
allowed:
|
|
commands:
|
|
- "server list"
|
|
- "server status"
|
|
- "taskserv list"
|
|
- "taskserv status"
|
|
- "cluster status"
|
|
- "show"
|
|
- "context"
|
|
|
|
providers:
|
|
- "local"
|
|
- "aws"
|
|
- "upcloud"
|
|
- "digitalocean"
|
|
|
|
taskservs: []
|
|
|
|
profiles:
|
|
- "production"
|
|
- "staging"
|
|
- "development"
|
|
|
|
# All modification operations blocked
|
|
blocked:
|
|
commands:
|
|
- "server create"
|
|
- "server delete"
|
|
- "server ssh"
|
|
- "taskserv create"
|
|
- "taskserv delete"
|
|
- "taskserv install"
|
|
- "cluster create"
|
|
- "cluster delete"
|
|
- "generate"
|
|
- "sops"
|
|
- "secrets"
|
|
|
|
providers: []
|
|
taskservs: []
|
|
profiles: []
|
|
|
|
# No resource limits needed for read-only
|
|
environment:
|
|
max_servers: 0
|
|
allowed_regions: []
|
|
allowed_sizes: []
|
|
|
|
# Audit settings
|
|
audit:
|
|
log_commands: true
|
|
require_justification: false
|
|
notify_webhook: "${READONLY_AUDIT_WEBHOOK_URL}"
|
|
|
|
# 24/7 access for monitoring
|
|
schedule:
|
|
allowed_hours: "00:00-23:59"
|
|
allowed_days: ["mon", "tue", "wed", "thu", "fri", "sat", "sun"]
|
|
timezone: "UTC" |