Google Git
Sign in
apache/casbin-crd-adapter
Mirrored from https://github.com/apache/casbin-crd-adapter.git
Clone this repo:

Branches

Tags

  1. 9f01090 chore(release): 1.0.0 [skip ci] by semantic-release-bot · 3 months ago master v1.0.0
  2. 4fec726 feat: add the code of Kubernetes CRD-backed persistence adapter for Casbin by Yang Luo · 3 months ago
  3. 4e725f7 Initial commit by Yang Luo · 3 months ago

Casbin CRD Adapter

Go Report Card CI Coverage Status GoDoc Release Discord

A Kubernetes Custom Resource Definition (CRD) adapter for Casbin. With this adapter, Casbin can load policy rules from Kubernetes Custom Resources instead of traditional databases.

Features

  • Read-Only Adapter: Designed to keep Kubernetes CRDs as the single source of truth for policies
  • Namespace-Scoped and Cluster-Scoped: Supports both namespace-scoped and cluster-scoped policy resources
  • Duplicate Handling: Automatically deduplicates policies when loading from multiple CRs
  • Deterministic Ordering: Ensures consistent policy loading order across multiple invocations
  • RBAC Support: Handles both permission rules (p) and role/group bindings (g)
  • No Database Required: Eliminates the need for external database dependencies at runtime

Installation

go get github.com/casbin/casbin-crd-adapter

CRD Schema

The adapter expects CasbinPolicy custom resources with the following structure:

apiVersion: casbin.org/v1alpha1
kind: CasbinPolicy
metadata:
  name: example-policy
  namespace: default  # optional, omit for cluster-scoped
spec:
  policyType: p  # or "g" for grouping policies
  rules:
    - values: ["alice", "data1", "read"]
    - values: ["bob", "data2", "write"]

Policy Types

  • p: Permission policies (who can do what on which resource)
  • g: Grouping policies (role/group bindings)

Usage

Basic Usage (Namespace-Scoped)

package main

import (
	"log"

	"github.com/casbin/casbin/v3"
	crdadapter "github.com/casbin/casbin-crd-adapter"
)

func main() {
	// Create adapter for namespace-scoped policies
	adapter, err := crdadapter.NewAdapter("default")
	if err != nil {
		log.Fatal(err)
	}

	// Create enforcer with the adapter
	e, err := casbin.NewEnforcer("model.conf", adapter)
	if err != nil {
		log.Fatal(err)
	}

	// Use the enforcer
	ok, err := e.Enforce("alice", "data1", "read")
	if err != nil {
		log.Fatal(err)
	}
	log.Printf("Alice can read data1: %v", ok)
}

Cluster-Scoped Usage

// Create adapter for cluster-scoped policies
adapter, err := crdadapter.NewAdapter("")
if err != nil {
	log.Fatal(err)
}

Using with Fake Client (for Testing)

import (
	"k8s.io/apimachinery/pkg/runtime"
	"k8s.io/client-go/dynamic/fake"
	crdadapter "github.com/casbin/casbin-crd-adapter"
)

func TestWithFakeClient() {
	scheme := runtime.NewScheme()
	client := fake.NewSimpleDynamicClient(scheme)
	
	adapter := crdadapter.NewAdapterWithClient(client, "default")
	
	e, err := casbin.NewEnforcer("model.conf", adapter)
	// ...
}

Example CRD Definitions

Permission Policy

apiVersion: casbin.org/v1alpha1
kind: CasbinPolicy
metadata:
  name: user-permissions
  namespace: default
spec:
  policyType: p
  rules:
    - values: ["alice", "data1", "read"]
    - values: ["alice", "data1", "write"]
    - values: ["bob", "data2", "write"]

Role/Group Bindings

apiVersion: casbin.org/v1alpha1
kind: CasbinPolicy
metadata:
  name: role-bindings
  namespace: default
spec:
  policyType: g
  rules:
    - values: ["alice", "admin"]
    - values: ["bob", "developer"]

RBAC Model Example

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[role_definition]
g = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act

Write Operations

This adapter is read-only by design. All write operations (SavePolicy, AddPolicy, RemovePolicy, RemoveFilteredPolicy) will return ErrWriteNotSupported.

To modify policies, update the Kubernetes CRD resources directly using kubectl or the Kubernetes API:

# Apply a new policy
kubectl apply -f policy.yaml

# Update existing policy
kubectl edit casbinpolicy example-policy -n default

# Delete a policy
kubectl delete casbinpolicy example-policy -n default

How It Works

  1. The adapter connects to the Kubernetes API server (either in-cluster or via kubeconfig)
  2. It lists all CasbinPolicy custom resources (filtered by namespace if specified)
  3. Policies are sorted deterministically by namespace, name, and policy type
  4. Duplicate policies are automatically removed
  5. Policies are loaded into the Casbin enforcer

Testing

Run the test suite:

go test -v ./...

With coverage:

go test -v -race -coverprofile=coverage.txt -covermode=atomic ./...

Development

Prerequisites

  • Go 1.23.0 or higher
  • Access to a Kubernetes cluster (for integration testing)

Building

go build ./...

Running Tests

go test ./...

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

License

This project is licensed under the Apache 2.0 License - see the LICENSE file for details.

Related Projects

  • Casbin - An authorization library that supports access control models like ACL, RBAC, ABAC
  • gorm-adapter - GORM adapter for Casbin
  • ent-adapter - Ent adapter for Casbin

Support