跳转至主要内容

Authorization of Kubernetes

K8s-authz is a Kubernetes authorization middleware built on Casbin that implements RBAC (Role-Based Access Control) and ABAC (Attribute-Based Access Control) policy enforcement. This middleware integrates with the Kubernetes validation admission webhook to evaluate Casbin-defined policies against each request to Kubernetes resources. Custom admission controllers register with Kubernetes using ValidatingAdmissionWebhook to validate request objects forwarded by the API server and return allow or deny responses.

The validation webhook proxies requests for all Kubernetes resource types and subresources, performing policy verification for each. Users can perform operations on resources only when authorized by the Casbin enforcer. The enforcer evaluates user roles as defined in the policies. Deploy this middleware directly to your Kubernetes cluster.

Prerequisites

Before you begin, ensure you have:

  • 正在运行的Kubernetes集群。 Set up a local cluster using Docker or establish a complete Kubernetes environment on your server. For local setup on Windows, see this guide. For Linux server setup, see this tutorial.
  • Kubectl CLI。 Installation instructions: Windows | Linux
  • OpenSSL

使用

Follow these steps to configure K8s-authz:

  1. 使用OpenSSL为每个用户生成证书和密钥。 Run:

    ./gen_cert.sh

  2. Build the Docker image from the Dockerfile manually. Update the version number in both the command and the deployment file:

    docker build -t casbin/k8s_authz:0.1 .

  3. Define Casbin policies in model.conf and policy.csv files. For policy configuration details, see the documentation.

  4. (Optional) Modify ports in main.go and the validation webhook configuration file according to your requirements.

  5. Deploy the validation controller and webhook to the Kubernetes cluster:

    kubectl apply -f deployment.yaml

  6. For production environments, create a Kubernetes secret to secure certificates:

    kubectl create secret generic casbin -n default \
      --from-file=key.pem=certs/casbin-key.pem \
      --from-file=cert.pem=certs/casbin-crt.pem

  7. Update the certificate directory paths in main.go and the manifests to reference the created secret.

The server should now be operational, validating requests to Kubernetes resources and enforcing policies.