Giters

casbin / k8s-gatekeeper

Kubernetes (k8s) admission controller webhook based on Casbin

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Final Submission for GSOC 2022

ComradeProgrammer opened this issue · comments

commented

Final Submission for GSOC 2022

This issue will be used as final submission for GSOC 2022, in order to demonstrate the work that was done during the program. My work during GSOC 2022 consists of 2 parts: A. Build K8s-gatekeeper and B. Push forward the development of Casdoor

A. Build K8s-gatekeeper

1. Overview of design of k8s-gatekeeper

K8s-gatekeeper is an admission webhook for k8s, using Casbin to apply arbitrary user-defined access control rules to help prevent any operation on k8s which administrator doesn't want.

overview

2 Steps to build k8s-gatekeeper

1. Set up basic scaffold

  • 1.1 set up basic project structure
  • 1.2 create CRD resources for casbin model and policy
  • 1.4 generate clients for CRD resources of casbin model and policy with k8s's official tools
  • 1.3 create adaptor for CRD resources of casbin model and policy

2. Impelement rules and policies

  • 2.1 implement the webhook
  • 2.2 implement Access and other functions for casbin enforcer
  • 2.3 set up unit tests
  • 2.4 implement rules and policies
  • 2.5 set up E2E tests

3. Clients

  • 3.1 implement clients

4. Pack into helm

  • 4.1 Pack into helm

5. Rewrite documents

  • 5.1 rewrite README.md

3. PRs for this project

#3 feat: set up basic project structure
#4 feat: generate client for crd resources
#5 feat: implement casbin CRD adaptor
#6 feat: add admission webhook hanlder
#7 feat: add e2e test kit
#10 feat: implement allowed_repo rule
#11 feat: add github ci
#12 feat: implement some common rules
#15 docs: add readme
#16 fix: fix expired certificate for unit test
#17 feat: rewrite e2e test with go test
#19 feat: implement other rules
#20 feat: add managent api
#21 feat: add dockerfile and internal deployments
#25 docs: fill in blanks in the doc
#22 feat: implement helm support
#24 feat: optimize ${OBJECT}&${NAMESPACE}&${RESOURCE}

B. Push forward the development of Casdoor

In the community's requiremenst of this GSOC project, another task was mentioned, which is to push forward the development of Casdoor. Casdoor is also an important part of Casbin community, which is an Identity and Access Management (IAM) / Single-Sign-On (SSO) platform.

Here are my contributes to this task.
casdoor/casdoor#770 fix: trigger missing webhook
casdoor/casdoor#795 feat: fix incorrect CAS url concatenation
casdoor/casdoor#847 fix: fix cors filter
casdoor/casdoor#866 feat: fix dockerfile
casdoor/casdoor#960 fix: fix webauthn entry cannot be added
casdoor/casdoor#1096 fix: fix bugs about 3rd-party login in cas flow