Garm is API for a Kubernetes authorization webhook that integrates with Athenz for access checks. It allows flexible resource mapping from K8s resources to Athenz ones.
You can also use just the authorization hook without also using the authentication hook. Use of the authentication hook requires Athenz to be able to sign tokens for users.
Requires go 1.11 or later.
- K8s webhook request (SubjectAccessReview) (Webhook Mode - Kubernetes)
- the K8s API server wants to know if the user is allowed to do the requested action
- Athenz RBAC request (Athenz)
- Athenz server contains the user authorization information for access control
- ask Athenz server is the user action is allowed based on pre-configurated policy
Garm convert the K8s request to Athenz request based on the mapping rules in config.yaml (example).
P.S. It is just a sample deployment solution above. Garm can work on any environment as long as it can access both the API server and the Athenz server.
$ docker pull yahoojapan/garm- Authentication support for Garm
- Helm Support
- mTLS Support between Athenz and Garm
- multi Athenz domain support
Copyright (C) 2018 Yahoo Japan Corporation Athenz team.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
This project requires contributors to agree to a Contributor License Agreement (CLA).
Note that only for contributions to the garm repository on the GitHub, the contributors of them shall be deemed to have agreed to the CLA without individual written agreements.