casbin / k8s-authz Goto Github PK

View Code? Open in Web Editor NEW

28.0 5.0 9.0 187 KB

Kubernetes (k8s) RBAC & ABAC authorization middleware based on Casbin

Home Page: https://casbin.org/docs/k8s

License: Apache License 2.0

Shell 12.39% Go 82.32% Dockerfile 5.29%

casbin middleware plugin kubernetes k8s docker auth authz rbac acl

k8s-authz's Introduction

k8s-authz

K8s-authz is authorization middleware for Kubernetes, which is based on Casbin.

Installation

go get github.com/casbin/k8s-authz

Working

This middleware uses K8s validation admission webhook to check the policies defined by casbin, for every request related to the pods. The K8s API server needs to know when to send the incoming request to our admission controller. For this part, we have defined a validation webhook which would proxy the requests for the pods and perform policy verification on it. The user would be allowed to perform the operations on the pods, only if the casbin enforcer authorizes it. The enforcer checks the roles of the user defined in the policies. This middleware would be deployed on the k8s cluster.

Requirements

Before proceeding, make sure to have the following-

Running k8s Cluster
kubectl
Openssl

Configuration and Usage

Generate the certificates and keys for every user by using openssl and running the following script:

If you are on a Linux system, you can execute shell scripts directly

./gen_cert.sh

If you are on a Windows system, executing ./gen_cert.sh can be problematic, especially if you are using Git Bash Follow the steps below:

# Do not use Git Bash to execute these commands (You can use cmd)

openssl genrsa -out certs/ca.key 2048

openssl req -new -x509 -key certs/ca.key -out certs/ca.crt

openssl genrsa -out certs/casbin-key.pem 2048

openssl req -new -key certs/casbin-key.pem -subj "/CN=casbin.default.svc" -out casbin.csr

openssl x509 -req -in casbin.csr -CA certs/ca.crt -CAkey certs/ca.key -CAcreateserial -out certs/casbin-crt.pem

# You can use Git Bash to execute the following command, or you can use other equivalent methods

export CA_BUNDLE=$(cat certs/ca.crt | base64 | tr -d '\n')

cat manifests/ValidatingWebhookConf.yaml.template | envsubst > manifests/ValidatingWebhookConf.yaml

For a production server, we need to create a k8s secret to place the certificates for security purposes.

kubectl create secret generic authz -n default \
  --from-file=key.pem=certs/casbin-key.pem \
  --from-file=cert.pem=certs/casbin-crt.pem

Once, this part is done we need to change the directory of the certs in main.go and then in manifests with that of the secret.
Build the docker image from the Dockerfile manually by running the following command and then change the build version here and at the deployment file, as per the builds.
```
docker build -t casbin/k8s_authz:latest .
```
Define the casbin policies in the model.conf and policy.csv. You can refer the docs to get to know more about the working of these policies.
Before deploying, you can change the ports in main.go and also in the validation webhook configuration file depending on your usage.

Deploy the validation controller and the webhook on k8s cluster by running:

kubectl apply -f manifests/deployment.yaml

# Wait for Deployment Ready

kubectl apply -f manifests/ValidatingWebhookConf.yaml

Now the server should be running and ready to validate the requests for the operations on the pods.

Documentation

You can check the official docs for more detailed explanation.

Community

In case of any query, you can ask on our Discord.

k8s-authz's People

Contributors

Stargazers

Watchers

Forkers

yahoo17 ashish493 syllogy abichinger uivid64 comradeprogrammer sagilio pokisemaine selflocking

k8s-authz's Issues

Add this k8s-authz middleware to the official list

We have several options to integrate this repo into the kubernetes ecosystem, like code integration, listing in the 3rd-party authorization middleware list, etc. See how we did it for apisix middleware: casbin-lua/apisix-authz#5

Add GitHub Actions CI to run the tests

See: #6 (comment)

GitHub Actions Run failed: Go - master (3560551)

https://github.com/casbin/k8s-authz/runs/2855727369?check_suite_focus=true

Fix the coverage badge

http: TLS handshake error from 192.168.1.41:24206: remote error: tls: bad certificate

export CA_BUNDLE=$(cat certs/ca.crt | base64 | tr -d '\n') cat deployment.yaml | envsubst > deployment.yaml

Whether tested, the generated deployment.yaml is empty

Add unit tests to improve test coverage

Add unit tests for

policy validation
to check server response for authorized and non-authorized user

The automated release is failing 🚨

🚨 The automated release from the `master` branch failed. 🚨

I recommend you give this issue a high priority, so other packages depending on you can benefit from your bug fixes and new features again.

You can find below the list of errors reported by semantic-release. Each one of them has to be resolved in order to automatically publish your package. I’m sure you can fix this 💪.

Errors are usually caused by a misconfiguration or an authentication problem. With each error reported below you will find explanation and guidance to help you to resolve it.

Once all the errors are resolved, semantic-release will release your package the next time you push a commit to the master branch. You can also manually restart the failed CI job that runs semantic-release.

If you are not sure how to resolve this, here are some links that can help you:

If those don’t help, or if this issue is reporting something you think isn’t right, you can always ask the humans behind semantic-release.

Missing `package.json` file.

A package.json file at the root of your project is required to release on npm.

Please follow the npm guideline to create a valid package.json file.

Good luck with your project ✨

Your semantic-release bot 📦🚀

Make an authorization plugin/middleware for kubernetes (k8s)

Kubernetes is one of the biggest project in Go and we have no reason for not supporting it well. I hope we can develop a middleware or something similar to help Kubernetes user use Casbin as the authorization layer.

This is very important for us. Currently, no single k8s and its ecosystem users use Casbin because we don't have such a middleware.

Here's a link about how other projects integrate with k8s: https://www.openpolicyagent.org/docs/v0.12.2/kubernetes-admission-control/

We already have some code and even some docs last summer.

Now we want to resurrect this project. Hope someone can work on it.

1 dispatcher.go:129] Failed calling webhook, failing open casbin.default.svc: failed calling webhook "casbin.default.svc": Post "https://casbin.default.svc:443/validate?timeout=5s": x509: certificate is not valid for any names, but wanted to match casbin.default.svc

error: error validating "deployment.yaml": error validating data: [ValidationError(ValidatingWebhookConfiguration.webhooks[0]): missing required field "sideEffects" in io.k8s.api.admissionregistration.v1.ValidatingWebhook, ValidationError(ValidatingWebhookConfiguration.webhooks[0]): missing required field "admissionReviewVersions" in io.k8s.api.admissionregistration.v1.ValidatingWebhook]; if you choose to ignore these errors, turn validation off with --validate=false

error: error validating "deployment.yaml": error validating data: [ValidationError(ValidatingWebhookConfiguration.webhooks[0]): missing required field "sideEffects" in io.k8s.api.admissionregistration.v1.ValidatingWebhook, ValidationError(ValidatingWebhookConfiguration.webhooks[0]): missing required field "admissionReviewVersions" in io.k8s.api.admissionregistration.v1.ValidatingWebhook]; if you choose to ignore these errors, turn validation off with --validate=false

Fail to run docker build

OS: CentOS Linux release 7.2 (Final)
Problem: fail to do docker build

I clone from git at master branch, and after run "sh gen_cert.sh", then I ran

docker build -t casbin/k8s_authz:0.1 .

it gives

Sending build context to Docker daemon  385.5kB
Step 1/12 : FROM golang:1.15-alpine AS build-env
 ---> 1403af3b6d4a
Step 2/12 : RUN apk update && apk upgrade &&     apk add --no-cache git
 ---> Using cache
 ---> f02e449b8621
Step 3/12 : WORKDIR /
 ---> Using cache
 ---> ee38f51a6d65
Step 4/12 : COPY go.mod .
 ---> Using cache
 ---> ecba6a5900ec
Step 5/12 : COPY go.sum .
 ---> Using cache
 ---> 13f6065dd905
Step 6/12 : RUN go mod download
 ---> Using cache
 ---> eea5f2b0e7cb
Step 7/12 : COPY . .
 ---> Using cache
 ---> 264136810785
Step 8/12 : RUN go build -o ./out/authz
 ---> Using cache
 ---> 3065459d60a6
Step 9/12 : COPY --from=build /out/authz /authz
invalid from flag value build: pull access denied for build, repository does not exist or may require 'docker login': denied: requested access to the resource is denied

service/casbin created
Error from server (Invalid): error when creating "deployment.yaml": Deployment.apps "casbin" is invalid: [spec.selector: Required value, spec.template.metadata.labels: Invalid value: map[string]string{"name":"casbin"}: `selector` does not match template `labels`]
Error from server (BadRequest): error when creating "deployment.yaml": ValidatingWebhookConfiguration in version "v1" cannot be handled as a ValidatingWebhookConfiguration: illegal base64 data at input byte 0

also I had question regarding what to fill in this when running gen_cert.sh

Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []: