Google Git
Sign in
apache/casbin-k8s-authz/refs/heads/develop
commit
69a6ead3ffd6319e533e02356046cc0d08f774b6
[log]
author
Ashish Malik <44671044+ashish493@users.noreply.github.com>
Tue Apr 05 12:23:16 2022 +0530
committer
GitHub <noreply@github.com>
Tue Apr 05 14:53:16 2022 +0800
tree
3bb9182ee0713b1ecb7d172bc9b155b2d470622b
parent
e4b5f95c095e16f2a89fd3a79f58e856045dcf9a [diff]
fix: add missing selector label (#26)

Signed-off-by: Ashish Malik <b218008@iiit-bh.ac.in>
1 file changed
tree: 3bb9182ee0713b1ecb7d172bc9b155b2d470622b
  1. .github/
  2. certs/
  3. config/
  4. manifests/
  5. .gitignore
  6. .releaserc.json
  7. Dockerfile
  8. gen_cert.sh
  9. go.mod
  10. go.sum
  11. k8s-logo.png
  12. LICENSE
  13. main.go
  14. README.md
  15. server.go
README.md

k8s-authz

Contributions Welcome Go Report Card Coverage Status Go Gitter License

K8s-authz is authorization middleware for Kubernetes, which is based on Casbin.

Installation

go get github.com/casbin/k8s-authz

Working

This middleware uses K8s validation admission webhook to check the policies defined by casbin, for every request related to the pods. The K8s API server needs to know when to send the incoming request to our admission controller. For this part, we have defined a validation webhook which would proxy the requests for the pods and perform policy verification on it. The user would be allowed to perform the operations on the pods, only if the casbin enforcer authorizes it. The enforcer checks the roles of the user defined in the policies. This middleware would be deployed on the k8s cluster.

Requirements

Before proceeding, make sure to have the following-

  • Running k8s Cluster
  • kubectl
  • Openssl

Configuration and Usage

  • Generate the certificates and keys for every user by using openssl and running the following script:-
./gen_cert.sh
  • Build the docker image from the Dockerfile manually by running the following command and then change the build version here and at the deployment file, as per the builds.
 docker build -t casbin/k8s_authz:0.1 .

  • Define the casbin policies in the model.conf and policy.csv. You can refer the docs to get to know more about the working of these policies.

  • Before deploying, you can change the ports in main.go and also in the validation webhook configuration file depending on your usage.

  • Deploy the validation controller and the webhook on k8s cluster by running:-

kubectl apply -f deployment.yaml
  • For a production server, we need to create a k8s secret to place the certificates for security purposes.
kubectl create secret generic casbin -n default \
  --from-file=key.pem=certs/casbin-key.pem \
  --from-file=cert.pem=certs/casbin-crt.pem
  • Once, this part is done we need to change the directory of the certs in main.go and then in manifests with that of the secret.

Now the server should be running and ready to validate the requests for the operations on the pods.

Documentation

You can check the official docs for more detailed explaination.

Community

In case of any query, you can ask on our gitter channel.