{"id":19298207,"url":"https://github.com/casbin/k8s-authz","last_synced_at":"2025-04-22T09:32:16.923Z","repository":{"id":37008509,"uuid":"279464473","full_name":"casbin/k8s-authz","owner":"casbin","description":"Kubernetes (k8s) RBAC \u0026 ABAC authorization middleware based on Casbin","archived":false,"fork":false,"pushed_at":"2023-11-17T14:19:49.000Z","size":187,"stargazers_count":30,"open_issues_count":1,"forks_count":9,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-04-19T17:14:37.857Z","etag":null,"topics":["abac","acl","auth","authorization","authz","casbin","cloud-native","docker","k8s","kubernetes","middleware","plugin","rbac"],"latest_commit_sha":null,"homepage":"https://casbin.org/docs/k8s","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/casbin.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null},"funding":{"github":"casbin"}},"created_at":"2020-07-14T02:48:19.000Z","updated_at":"2025-02-11T15:04:14.000Z","dependencies_parsed_at":"2023-12-18T02:02:49.732Z","dependency_job_id":null,"html_url":"https://github.com/casbin/k8s-authz","commit_stats":{"total_commits":28,"total_committers":8,"mean_commits":3.5,"dds":0.4285714285714286,"last_synced_commit":"c92189a86ffb087ae49334ace2df5ea3bb2bad67"},"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/casbin%2Fk8s-authz","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/casbin%2Fk8s-authz/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/casbin%2Fk8s-authz/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/casbin%2Fk8s-authz/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/casbin","download_url":"https://codeload.github.com/casbin/k8s-authz/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250141427,"owners_count":21381599,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["abac","acl","auth","authorization","authz","casbin","cloud-native","docker","k8s","kubernetes","middleware","plugin","rbac"],"created_at":"2024-11-09T23:07:15.376Z","updated_at":"2025-04-22T09:32:16.896Z","avatar_url":"https://github.com/casbin.png","language":"Go","funding_links":["https://github.com/sponsors/casbin"],"categories":[],"sub_categories":[],"readme":"# k8s-authz\n[![Contributions Welcome](https://img.shields.io/badge/contributions-welcome-brightgreen.svg?style=flat)](https://github.com/casbin/k8s-authz/issues)\n[![Go Report Card](https://goreportcard.com/badge/github.com/casbin/k8s-authz)](https://goreportcard.com/report/github.com/casbin/k8s-authz)\n[![Coverage Status](https://coveralls.io/repos/github/casbin/k8s-authz/badge.svg?branch=master)](https://coveralls.io/github/casbin/k8s-authz?branch=master)\n[![Go](https://github.com/casbin/k8s-authz/actions/workflows/ci.yaml/badge.svg)](https://github.com/casbin/k8s-authz/actions/workflows/ci.yaml)\n[![Discord](https://img.shields.io/discord/1022748306096537660?logo=discord\u0026label=discord\u0026color=5865F2)](https://discord.gg/S5UjpzGZjN)\n[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)\n\n\u003cp align=\"center\"\u003e\n    \u003cimg width=\"300\" height=\"300\" src=\"k8s-logo.png\" alt=\"K8s-authz\" /\u003e\n\u003c/p\u003e\n   \nK8s-authz is authorization middleware for [Kubernetes](https://github.com/kubernetes/kubernetes), which is based on [Casbin](https://github.com/casbin/casbin). \n\n## Installation\n\n```\ngo get github.com/casbin/k8s-authz\n```\n## Working\n\nThis middleware uses K8s validation admission webhook to check the policies defined by casbin, for every request related to the pods. The K8s API server needs to know when to send the incoming request to our admission controller. For this part, we have defined a validation webhook which would proxy the requests for the pods and perform policy verification on it. The user would be allowed to perform the operations on the pods, only if the casbin enforcer authorizes it. The enforcer checks the roles of the user defined in the policies. This middleware would be deployed on the k8s cluster. \n\n## Requirements\nBefore proceeding, make sure to have the following-\n- Running k8s Cluster\n- kubectl\n- Openssl\n\n## Configuration and Usage\n \n- Generate the certificates and keys for every user by using openssl and running the following script:\n\n  If you are on a Linux system, you can execute shell scripts directly\n    ```\n    ./gen_cert.sh\n    ```\n  If you are on a Windows system, executing `./gen_cert.sh` can be problematic, especially if you are using `Git Bash`\n  Follow the steps below:\n    ```\n  # Do not use Git Bash to execute these commands (You can use cmd)\n  \n    openssl genrsa -out certs/ca.key 2048\n    \n    openssl req -new -x509 -key certs/ca.key -out certs/ca.crt\n    \n    openssl genrsa -out certs/casbin-key.pem 2048\n    \n    openssl req -new -key certs/casbin-key.pem -subj \"/CN=casbin.default.svc\" -out casbin.csr\n    \n    openssl x509 -req -in casbin.csr -CA certs/ca.crt -CAkey certs/ca.key -CAcreateserial -out certs/casbin-crt.pem\n  \n  # You can use Git Bash to execute the following command, or you can use other equivalent methods\n    \n    export CA_BUNDLE=$(cat certs/ca.crt | base64 | tr -d '\\n')\n    \n    cat manifests/ValidatingWebhookConf.yaml.template | envsubst \u003e manifests/ValidatingWebhookConf.yaml\n    ```\n\n- For a production server, we need to create a k8s `secret` to place the certificates for security purposes.\n    ```\n    kubectl create secret generic authz -n default \\\n      --from-file=key.pem=certs/casbin-key.pem \\\n      --from-file=cert.pem=certs/casbin-crt.pem\n    ```\n- Once, this part is done we need to change the directory of the certs in [main.go](https://github.com/ashish493/k8s-authz/blob/3560551427c0431a9d4594ad1206f084ede37c49/main.go#L26) and then in [manifests](https://github.com/ashish493/k8s-authz/blob/3560551427c0431a9d4594ad1206f084ede37c49/manifests/deployment.yaml#L22) with that of the `secret`.\n\n- Build the docker image from the [Dockerfile](https://github.com/casbin/k8s-authz/blob/master/Dockerfile) manually by running the following command and then change the build version here and at the deployment [file](https://github.com/casbin/k8s-authz/blob/718f58c46e3dbf79063b5b1c18348c2fee5de9e9/manifests/deployment.yaml#L18), as per the builds.\n    ```\n    docker build -t casbin/k8s_authz:latest .\n    ```\n  \n- Define the casbin policies in the [model.conf](https://github.com/casbin/k8s-authz/blob/master/config/model.conf) and [policy.csv](https://github.com/casbin/k8s-authz/blob/master/config/policy.csv). You can refer the [docs](https://casbin.org/docs/how-it-works) to get to know more about the working of these policies.\n\n- Before deploying, you can change the ports in [main.go](https://github.com/casbin/k8s-authz/blob/master/main.go) and also in the validation webhook configuration [file](https://github.com/casbin/k8s-authz/blob/master/manifests/deployment.yaml) depending on your usage.\n\n- Deploy the validation controller and the webhook on k8s cluster by running:\n    ```\n    kubectl apply -f manifests/deployment.yaml\n  \n    # Wait for Deployment Ready\n  \n    kubectl apply -f manifests/ValidatingWebhookConf.yaml\n  ```\n\nNow the server should be running and ready to validate the requests for the operations on the pods. \n\n## Documentation\n\nYou can check the official [docs](https://casbin.org/docs/k8s) for more detailed explanation.\n\n## Community\n\nIn case of any query, you can ask on our [Discord](https://discord.gg/S5UjpzGZjN).\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcasbin%2Fk8s-authz","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcasbin%2Fk8s-authz","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcasbin%2Fk8s-authz/lists"}