Skip to content

A sample of an OpenFGA Webhook Authorizer for Kubernetes.

Notifications You must be signed in to change notification settings

jon-whit/openfga-authorizer

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

OpenFGA Kubernetes Authorizer

An implementation of a Kubernetes Webhook Authorizer that uses OpenFGA to make Authorization decisions.

The OpenFGA Authorizer implements the Authorizer interface.

Setup

Certificate Generation

mkdir -p certs && cd certs

openssl genrsa -out ca.key 2048

openssl req -x509 -new -nodes -key ca.key -subj "/CN=127.0.0.1" -days 10000 -out ca.crt

openssl genrsa -out server.key 2048
openssl req -new -key tls.key -out server.csr -config csr.conf

openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key \
    -CAcreateserial -out server.crt -days 10000 \
    -extensions v3_ext -extfile csr.conf -sha256

Start the Kubernetes API Server and Authorizer

docker compose up

Authenticate (kubectl context)

export KUBECONFIG=./.config/kubeconfig.yaml

kubectl config use-context admin-user

Kubernetes Authorization Model

Resource Attributes

  • Verb - get, list, watch, create, update, delete, proxy (* means all/any)
  • Namespace
  • Name (ResourceName) - secrets, configmaps, deployments, pods
  • APIGroup - rbac.authorization.k8s.io, api
  • APIVersion

API Resources (top-level)

  • Create a new API object (create): POST /apis/<apiGroup>/<apiVersion>/<resource>
  • List API objects (list): GET /apis/<apiGroup>/<apiVersion>/<resource>
  • Watch API objects (watch): GET /apis/<apiGroup>/<apiVersion>/<resource>?watch=1
  • Get an API object with a given name (get): GET /apis/<apiGroup>/<apiVersion>/<resource>/<name>
  • Update an API object with a given name (update): PUT /apis/<apiGroup>/<apiVersion>/<resource>/<name>
  • Patch an API object with a given name (patch): PATCH /apis/<apiGroup>/<apiVersion>/<resource>/<name>
  • Delete an API object with a given name (delete): DELETE /apis/<apiGroup>/<apiVersion>/<resource>/<name>

Namespaced Resources

Same rules for the API Resources apply, but with a subpath scoped to the namespace. For example,

/apis/<apiGroup>/<apiVersion>/namespaces/<namespace>/<resource>

  • Get Deployment 'foo' in Namespace 'bar' - GET /apps/v1/namespaces/bar/deployments/foo

    Check(resource:/apps/v1/namespaces/bar/deployments/foo, get, user:jon)

Check /authorize endpoint with TLS

curl -v --cert certs/server.crt --key certs/server.key --cacert certs/ca.crt -H 'Content-Type: application/json' https://localhost:9443/authorize 

About

A sample of an OpenFGA Webhook Authorizer for Kubernetes.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published