{"id":19382733,"url":"https://github.com/authzed/spicedb-kubeapi-proxy","last_synced_at":"2025-07-21T16:33:10.741Z","repository":{"id":228607986,"uuid":"679365866","full_name":"authzed/spicedb-kubeapi-proxy","owner":"authzed","description":"Secure access to the Kubernetes API using SpiceDB","archived":false,"fork":false,"pushed_at":"2025-07-14T20:29:44.000Z","size":1245,"stargazers_count":30,"open_issues_count":27,"forks_count":3,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-07-15T01:00:00.903Z","etag":null,"topics":["acl","authorization","cloud-native","fga","fine-grained-access-control","kubernetes","permissions","proxy","rebac","security","spicedb","zanzibar"],"latest_commit_sha":null,"homepage":"https://authzed.com/spicedb","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/authzed.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE-OF-CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2023-08-16T17:13:58.000Z","updated_at":"2025-07-14T20:29:48.000Z","dependencies_parsed_at":null,"dependency_job_id":"59a14df8-1f45-4da9-8863-d360b322b919","html_url":"https://github.com/authzed/spicedb-kubeapi-proxy","commit_stats":null,"previous_names":["authzed/spicedb-kubeapi-proxy"],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/authzed/spicedb-kubeapi-proxy","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/authzed%2Fspicedb-kubeapi-proxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/authzed%2Fspicedb-kubeapi-proxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/authzed%2Fspicedb-kubeapi-proxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/authzed%2Fspicedb-kubeapi-proxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/authzed","download_url":"https://codeload.github.com/authzed/spicedb-kubeapi-proxy/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/authzed%2Fspicedb-kubeapi-proxy/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":266334543,"owners_count":23913002,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-21T11:47:31.412Z","response_time":64,"last_error":null,"robots_txt_status":null,"robots_txt_updated_at":null,"robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["acl","authorization","cloud-native","fga","fine-grained-access-control","kubernetes","permissions","proxy","rebac","security","spicedb","zanzibar"],"created_at":"2024-11-10T09:23:01.755Z","updated_at":"2025-07-21T16:33:10.720Z","avatar_url":"https://github.com/authzed.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# spicedb-kubeapi-proxy\n\n`spicedb-kubeapi-proxy` is a proxy that runs in between clients and the kube\napiserver that can authorize requests and filter responses using an embedded or\nremote SpiceDB.\n\n## Status\n\nThe [issues](https://github.com/authzed/spicedb-kubeapi-proxy/issues) track\nthe current state of the project, but the primary goals before 1.0 are:\n\n- Stabilizing the API for configuring proxy rules\n- Gaining operational experience and proving the system in production\n\n## Features\n\n- 🚀 Authorize any request to the Kubernetes cluster based on data in SpiceDB\n- ✨ Filter responses (including lists) from the kubernetes cluster based on data in SpiceDB\n- 🌶️ Write to both SpiceDB and Kubernetes in a single transaction (durably)\n- 🪩 Use different user authentication in the proxy than you do in the base cluster\n- 🎉 No syncing between SpiceDB and Kubernetes is required\n- 🔒 Does not require admin permissions in the base cluster\n- 📦 Run the proxy in-cluster or out-of-cluster\n- 📡 Use an embedded SpiceDB or a remote SpiceDB\n- 📜 Configure with a variety of different rules to control access to the cluster\n- 📊 Metrics and tracing support\n\n## Architecture\n\n![Arch Diagram Dark](./docs/proxy-arch-dark.png#gh-dark-mode-only)![Arch Diagram Light](./docs/proxy-arch-light.png#gh-light-mode-only)\n\nThe proxy authenticates itself with the downstream kube-apiserver (client certs\nif running out-of-cluster, service account token if running in-cluster).\nThe proxy is configured with a set of rules that define how to authorize requests\nand how to filter responses by communicating with SpiceDB.\n\nThere are three basic types of rule:\n\n- **Check** rules: these are used to authorize whether a request is allowed to\n  proceed at all. For example, a rule might say that a user can only list pods\n  in a namespace `foo` if they have a `namespace:foo#list@user:alice` permission\n  in SpiceDB.\n- **Filter** rules: these are used to filter the response from the kube-apiserver\n  based on the data in SpiceDB. For example, a rule might say that a user can\n  only see the pods in namespace `foo` if there are corresponding relationships\n  in SpiceDB that enumerate the allowed pods, like `pod:foo/a#view@user:alice`\n  and `pod:foo/b#view@user:alice`. In this example, `alice` would see pods `a`\n  and `b` in namespace `foo`, but no others.\n- **Update Relationship** rules: these are used to write/delete data in\n  SpiceDB based on the request that the proxy is authorizing. For example,\n  if `alice` creates a new pod `c` in namespace `foo`, a rule can determine\n  that a relationship should be written to SpiceDB that grants ownership,\n  i.e. `pod:foo/a#view@user:alice`.\n\nRules often work in tendem; for example, a `Check` rule might authorize a request\nto list pods in a namespace, and a `Filter` rule might further restrict the\nresponse to only include certain pods.\n\nNote that the proxy does not assume anything about the structure of the data in\nSpiceDB. It is up to the user to define the data in SpiceDB and the rules that\nthe proxy uses to authorize and filter requests.\n\nThe proxy rejects any request for which it doesn't find a matching rule.\n\n# Development\n\nThis project uses `mage` to offer various development-related commands.\n\n```bash\n# run to get all available commands\nbrew install mage\nmage\n```\n\n## Tests\n\nRuns both unit and e2e tests\n\n```bash\nmage test:all\n```\n\n## Development environment\n\n```bash\nmage dev:up\n```\n\nThis brings a development kind cluster with the proxy running in it with an embedded SpiceDB.\nA development `dev.kubeconfig` file will be generated so that you can configure your client\nto talk to either the proxy or the upstream kind cluster.\n\nExamples:\n\n```bash\nkubectl --kubeconfig $(pwd)/dev.kubeconfig --context proxy get namespace\n```\n\nor\n\n```bash\nexport KUBECONFIG=$(pwd)/dev.kubeconfig\nkubectx proxy\nkubectl get namespace\n```\n\nYou can also talk to the upstream cluster to verify things by switching to the context name `admin`:\n\n```bash\nkubectl --kubeconfig $(pwd)/dev.kubeconfig --context admin get namespace\n```\n\nTo clean everything up just run:\n\n```bash\nmage dev:clean\n```\n\n## Run the proxy locally\n\nSometimes you may want to debug the proxy. The easiest way would be to spin up the development environment with `mage dev:up`\nand then run the proxy targeting it as upstream:\n\n```bash\nmage dev:run\n```\n\nAlternatively if you want to run with delve or your IDE, do:\n\n```bash\ngo run ./cmd/spicedb-kubeapi-proxy/main.go --bind-address=127.0.0.1 --secure-port=8443 --backend-kubeconfig $(pwd)/spicedb-kubeapi-proxy.kubeconfig --client-ca-file $(pwd)/client-ca.crt --requestheader-client-ca-file $(pwd)/client-ca.crt --spicedb-endpoint embedded://\n```\n\nYou'll then be able to reach out to your local proxy instance with the context `local`. Note TLS certs are\nauto-generated by Kube so `--insecure-skip-tls-verify` must be provided.\n\n```bash\nexport KUBECONFIG=$(pwd)/dev.kubeconfig\nkubectx proxy\nkubectl --insecure-skip-tls-verify get namespace\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fauthzed%2Fspicedb-kubeapi-proxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fauthzed%2Fspicedb-kubeapi-proxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fauthzed%2Fspicedb-kubeapi-proxy/lists"}