An implementation of a Kubernetes Webhook Authorizer that uses OpenFGA to make Authorization decisions.
The OpenFGA Authorizer implements the Authorizer interface.
mkdir -p certs && cd certs
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -subj "/CN=127.0.0.1" -days 10000 -out ca.crt
openssl genrsa -out server.key 2048
openssl req -new -key tls.key -out server.csr -config csr.conf
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key \
-CAcreateserial -out server.crt -days 10000 \
-extensions v3_ext -extfile csr.conf -sha256
docker compose up
export KUBECONFIG=./.config/kubeconfig.yaml
kubectl config use-context admin-user
- Verb -
get
,list
,watch
,create
,update
,delete
,proxy
(*
means all/any) - Namespace
- Name (ResourceName) -
secrets
,configmaps
,deployments
,pods
- APIGroup -
rbac.authorization.k8s.io
,api
- APIVersion
- Create a new API object (create): POST
/apis/<apiGroup>/<apiVersion>/<resource>
- List API objects (list): GET
/apis/<apiGroup>/<apiVersion>/<resource>
- Watch API objects (watch): GET
/apis/<apiGroup>/<apiVersion>/<resource>?watch=1
- Get an API object with a given name (get): GET
/apis/<apiGroup>/<apiVersion>/<resource>/<name>
- Update an API object with a given name (update): PUT
/apis/<apiGroup>/<apiVersion>/<resource>/<name>
- Patch an API object with a given name (patch): PATCH
/apis/<apiGroup>/<apiVersion>/<resource>/<name>
- Delete an API object with a given name (delete): DELETE
/apis/<apiGroup>/<apiVersion>/<resource>/<name>
Same rules for the API Resources apply, but with a subpath scoped to the namespace. For example,
/apis/<apiGroup>/<apiVersion>/namespaces/<namespace>/<resource>
-
Get Deployment 'foo' in Namespace 'bar' - GET /apps/v1/namespaces/bar/deployments/foo
Check(resource:/apps/v1/namespaces/bar/deployments/foo, get, user:jon)
curl -v --cert certs/server.crt --key certs/server.key --cacert certs/ca.crt -H 'Content-Type: application/json' https://localhost:9443/authorize