K8s-authz is a Kubernetes (k8s) authorization middleware based on Casbin that utilizes RBAC (Role-Based Access Control) and ABAC (Attribute-Based Access Control) for policy enforcement. This middleware integrates with the K8s validation admission webhook to validate the policies defined by Casbin for each request made to K8s resources. Custom admission controllers are registered with Kubernetes using the
ValidatingAdmissionWebhook to perform validations on request objects forwarded by the API server and provide a response indicating whether the request should be allowed or rejected.
To determine when to send incoming requests to the admission controller, a validation webhook has been implemented. This webhook proxies requests for any type of K8s resource or sub-resource and performs policy verification. Users are only allowed to perform operations on these resources if they are authorized by the Casbin enforcer. The enforcer checks the roles of the user as defined in the policies. The K8s cluster is the deployment target for this middleware.
Before proceeding, ensure that you have the following:
- A running Kubernetes cluster. You can set up a local cluster using Docker or set up a complete Kubernetes ecosystem on your server. For detailed instructions, refer to this guide for setting up a local Kubernetes cluster on Windows or this guide for setting up a cluster on Linux.
- Kubectl CLI. Instructions for installing Kubectl on Windows can be found here, and for Linux here.
Follow these steps to use K8s-authz:
Generate certificates and keys for each user using OpenSSL. Run the script below:
docker build -t casbin/k8s_authz:0.1 .
Deploy the validation controller and the webhook on the Kubernetes cluster by running the following command:
kubectl apply -f deployment.yaml
For a production server, it is recommended to create a Kubernetes
secretto secure the certificates:
kubectl create secret generic casbin -n default \
Now, the server should be up and running, ready to validate requests made to K8s resources and enforce policies accordingly.