Proposal: Integrate Gatekeeper and Casbin into KubeSphere

[sagilio]

Background

PodSecurityPolicy (PSP) has been stuck in beta since it was introduced in Kubernetes 1.3 and now it is being deprecated in Kubernetes 1.21, this starts the countdown to its removal.

Kubernetes also allows decoupling policy decisions from the inner workings of the API Server by means of admission controller webhooks, which are executed whenever a resource is created, updated or deleted, So we can use some third-party controllers to instead it.

Proposal

Gatekeeper is a validating (mutating TBA) webhook that enforces CRD-based policies executed by Open Policy Agent. We can integrate Gatekeeper to KubeSphere, and manage the common rules and policies through CRD.

Casbin is an authorization library that supports access control models like ACL, RBAC, ABAC and has many users, and the casbin community will do the best to support this feature. Trace issue: casbin/kubesphere-authz#4

I think this feature can support these points:

• Users can add, edit, delete, enable and disable some admission policy at KubeSphere Console, like whether allow privilege container and trusted image repository, etc.
• Users can receive the rejection notification on the KubeSphere Console.
• Users can select the third-party controllers on config.

What things do we need to do?

• Integrate Gatekeeper into ks-installer ks-installer#1633
• Integrate Casbin into ks-installer
• Add admission policy management APIs
• Handle admission validate error on request chains
• Add admission policy management UI to ks-console

/area security
/kind proposal

[wansir]

I found that casbin/kubesphere-authz is a newly launched project, It seems that not fully developed enough, until then we can invite more community users to test.

[ComradeProgrammer]

Greetings. I am actually the developer of casbin/kubesphere-authz. Indeed casbin/kubesphere-authz isn't fully developed yet, but I 've already been awared of this proposal, and currently I am actively cooperating with @sagilio. I shall do my utmost to fulfill and implement casbin/kubesphere-authz to make it keep pace with the developing schedule of ks.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.

[hsluoyz]

@sagilio @ComradeProgrammer any update on this issue?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.

[sagilio]

/kind feature