Authorization of Kubernetes
K8s-authz is a Kubernetes (k8s) RBAC & ABAC authorization middleware based on Casbin. This middleware uses K8s validation admission webhook to check the policies defined by casbin, for every request of the k8s resources. These custom admission controllers perform some kind of validation on the request object that was forwarded by api server and based on a logic, sends back a response to api server that contains information on whether to allow or reject the request. These controllers are registered with Kubernetes using the ValidatingAdmissionWebhook
.
The K8s API server needs to know when to send the incoming request to our admission controller. For this part, we have defined a validation webhook which would proxy the requests for any type of K8s resource/sub-resource and perform policy verification on it. The user would be allowed to perform the operations on these resources, only if the casbin enforcer authorizes it. The enforcer checks the roles of the user defined in the policies. This middleware would be deployed on the K8s cluster.
Requirements
Before proceeding, make sure to have the following-
- A running k8s Cluster. You can either run the clusters through Docker by enabling it on the Docker Desktop or you can setup the complete K8s ecosytem locally or on your server. You can follow this detailed guide to setup the k8s cluster locally on Windows or this guide if want to setup for Linux.
- Kubectl CLI This is the guide to setup it on Windows and this guide for Linux.
- OpenSSL
Usage
- Generate the certificates and keys for every user by using openssl and running the following script:-
./gen_cert.sh
- Build the docker image from the Dockerfile manually by running the following command and then change the build version here and at the deployment file, as per the builds.
docker build -t casbin/k8s_authz:0.1 .
Define the casbin policies in the model.conf and policy.csv. You can refer the docs to get to know more about the working of these policies.
Before deploying, you can change the ports in main.go and also in the validation webhook configuration file depending on your usage.
Deploy the validation controller and the webhook on k8s cluster by running:-
kubectl apply -f deployment.yaml
- For a production server, we need to create a k8s
secret
to place the certificates for security purposes.
kubectl create secret generic casbin -n default \
--from-file=key.pem=certs/casbin-key.pem \
--from-file=cert.pem=certs/casbin-crt.pem
- Once, this part is done we need to change the directory of the certs in main.go and then in manifests with that of the
secret
.
Now the server should be running and ready to validate the requests for the operations on the k8s resources.