Authorization of Kubernetes
K8s-authz is a Kubernetes (k8s) authorization middleware based on Casbin that utilizes RBAC (Role-Based Access Control) and ABAC (Attribute-Based Access Control) for policy enforcement. This middleware integrates with the K8s validation admission webhook to validate the policies defined by Casbin for each request made to K8s resources. Custom admission controllers are registered with Kubernetes using the ValidatingAdmissionWebhook
to perform validations on request objects forwarded by the API server and provide a response indicating whether the request should be allowed or rejected.
To determine when to send incoming requests to the admission controller, a validation webhook has been implemented. This webhook proxies requests for any type of K8s resource or sub-resource and performs policy verification. Users are only allowed to perform operations on these resources if they are authorized by the Casbin enforcer. The enforcer checks the roles of the user as defined in the policies. The K8s cluster is the deployment target for this middleware.
Requirements
Before proceeding, ensure that you have the following:
- A running Kubernetes cluster. You can set up a local cluster using Docker or set up a complete Kubernetes ecosystem on your server. For detailed instructions, refer to this guide for setting up a local Kubernetes cluster on Windows or this guide for setting up a cluster on Linux.
- Kubectl CLI. Instructions for installing Kubectl on Windows can be found here, and for Linux here.
- OpenSSL
Usage
Follow these steps to use K8s-authz:
Generate certificates and keys for each user using OpenSSL. Run the script below:
./gen_cert.sh
Build the Docker image from the Dockerfile manually by running the following command. Remember to change the build version in the command and in the deployment file accordingly.
docker build -t casbin/k8s_authz:0.1 .
Define the Casbin policies in the model.conf and policy.csv files. For more information on how these policies work, refer to the documentation.
Before deploying, you can modify the ports in the main.go file, as well as in the validation webhook configuration file, based on your specific requirements.
Deploy the validation controller and the webhook on the Kubernetes cluster by running the following command:
kubectl apply -f deployment.yaml
For a production server, it is recommended to create a Kubernetes
secret
to secure the certificates:kubectl create secret generic casbin -n default \
--from-file=key.pem=certs/casbin-key.pem \
--from-file=cert.pem=certs/casbin-crt.pemAfter completing the above steps, you need to update the certificate directory in main.go and the manifests with the directory of the created
secret
.
Now, the server should be up and running, ready to validate requests made to K8s resources and enforce policies accordingly.