casbin / k8s-gatekeeper Goto Github PK

Kubernetes (k8s) admission controller webhook based on Casbin

License: Apache License 2.0

Go 96.02% Shell 3.52% Dockerfile 0.46%

abac acl casbin cloudnative k8s kubernetes rbac

k8s-gatekeeper's Issues

Upgrade k8s-authz to the new k8s-gatekeeper project

Currently, this PR: casbin/k8s-authz#29 has nearly refactored everything existed in old k8s-authz. The old k8s-authz is already a complete work, made by our GSoC 2021 student, including code, README and Casbin.org docs. I tend not to break it if possible. So maybe we should just create a new project for @ComradeProgrammer 's contribution. The next ongoing contributions of Casbin + Cloud Native will be put into this repo instead.

Integrate k8s-gatekeeper with Casdoor SSO IAM

Required by: https://v2ex.com/t/872898#r_11997527

k8s-gatekeeper should be a middleware connecting k8s with both Casbin + Casdoor

Plan about advocating this project

How to introduce users to use this project?

Setup GitHub Actions CI and semantic-release

Fix CI error

https://github.com/casbin/k8s-gatekeeper/runs/7552667440?check_suite_focus=true

Final Submission for GSOC 2022

This issue will be used as final submission for GSOC 2022, in order to demonstrate the work that was done during the program. My work during GSOC 2022 consists of 2 parts: A. Build K8s-gatekeeper and B. Push forward the development of Casdoor

A. Build K8s-gatekeeper

1. Overview of design of k8s-gatekeeper

K8s-gatekeeper is an admission webhook for k8s, using Casbin to apply arbitrary user-defined access control rules to help prevent any operation on k8s which administrator doesn't want.

2 Steps to build k8s-gatekeeper

1. Set up basic scaffold

1.1 set up basic project structure
1.2 create CRD resources for casbin model and policy
1.4 generate clients for CRD resources of casbin model and policy with k8s's official tools
1.3 create adaptor for CRD resources of casbin model and policy

2. Impelement rules and policies

2.1 implement the webhook
2.2 implement Access and other functions for casbin enforcer
2.3 set up unit tests
2.4 implement rules and policies
2.5 set up E2E tests

3. Clients

3.1 implement clients

4. Pack into helm

4.1 Pack into helm

5. Rewrite documents

5.1 rewrite README.md

3. PRs for this project

#3 feat: set up basic project structure
#4 feat: generate client for crd resources
#5 feat: implement casbin CRD adaptor
#6 feat: add admission webhook hanlder
#7 feat: add e2e test kit
#10 feat: implement allowed_repo rule
#11 feat: add github ci
#12 feat: implement some common rules
#15 docs: add readme
#16 fix: fix expired certificate for unit test
#17 feat: rewrite e2e test with go test
#19 feat: implement other rules
#20 feat: add managent api
#21 feat: add dockerfile and internal deployments
#25 docs: fill in blanks in the doc
#22 feat: implement helm support
#24 feat: optimize ${OBJECT}&${NAMESPACE}&${RESOURCE}

B. Push forward the development of Casdoor

In the community's requiremenst of this GSOC project, another task was mentioned, which is to push forward the development of Casdoor. Casdoor is also an important part of Casbin community, which is an Identity and Access Management (IAM) / Single-Sign-On (SSO) platform.

Here are my contributes to this task.
casdoor/casdoor#770 fix: trigger missing webhook
casdoor/casdoor#795 feat: fix incorrect CAS url concatenation
casdoor/casdoor#847 fix: fix cors filter
casdoor/casdoor#866 feat: fix dockerfile
casdoor/casdoor#960 fix: fix webauthn entry cannot be added
casdoor/casdoor#1096 fix: fix bugs about 3rd-party login in cas flow