GSoC’21 Phase-1 @ Casbin
Hey Everyone,
I got selected again for Google Summer of Code this year. This time I got selected in Casbin for the project of k8s-authz. This project was bit different from others and I was really excited to work on it. In this post, I will be sharing my progress as well as the detailed explaination regarding the project.
You can check my previous GSoC project’s final report here. This project was about creating an Intelligent Intrusion Detection System under OWASP Foundation, which would use the power of AI to detect intrusions.
So, we are halfway through the Google Summer of Code 2021 program and journey is going great so far. During this time, I had my end semester exams for 2 semesters. Also some of my family members were Covid positive, so it became a little hectic in between. But anyways, let’s come back to the project.
Project Overview
Casbin is an open-source Authorization Library which supports access control models like ACL, RBAC, ABAC for Golang, Python, C++, Lua and for many other languages. There are many casbin plugins which support different tools. Kubernetes being one of the biggest project in Go didn’t have this support. So, this project is about developing a Casbin plugin/Middleware for Kubernetes(k8s), which would authorize the users based upon the roles/policies defined in the Casbin policy file to access certain pods or clusters.
Pre-community Bonding Period
I started contributing to this project even before the results were announced. So, I researched on how to validate requests in k8s cluster and then started reading the official k8s docs of Dynamic Admission Controllers.
An admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to persistence of the object, but after the request is authenticated and authorized.
There are 2 different types of Admissions Controllers which are MutatingAdmissionWebhook and ValidatingAdmissionWebhook. For our project’s use case, I had to choose the later as the Admissions Controller. So, this webhook would work in such a way that whenever any user/client would perform any operation on the pods, this webhook would validate that request using Casbin and then allow/deny the user based on that. Basically, the validation logic would be based on Casbin enforcer. During this period, I tried to create a basic setup of the project.
I have used the Casbin RBAC API to check the permission of user. By default, the permission would remain true, but if the user doesn’t have any permission for the particular operation which is being performed, then they will get an error message saying that they are not authorized.
Merged PRs:- #3
Community Bonding Period
The previous merged code had many bugs since it was written from various sources and was just used to give a basic structure to our project. So, during this time I had to re-write some code and had to make some changes in manifests which are used to deploy those webhooks. Once the majority of the work was done I then started writing the Readme and also designed a logo for the middleware. After that, I had to write a detailed documentation for the usage of our middleware. So, I wrote the docs under Advanced Usage section in the official casbin docs.
Also the previous code was using v1beta1 version of k8s API, which had been deprecated since 2019. So, I then had to migrate those APIs to v1.
Coding Phase-1
During this phase, I wrote some tests to check the policy validation. I had to setup the CI for those tests and also for checking the lint and the code quality. The lints were failing initially, so first I had to fix those first and then move to semantic release of the package. As of now the coverall badge in Readme is showing unknown, so I will be fixing it in the upcoming PR.
Our middleware only had the support for limited operations and that too only for pods. So, I then extended its support for all operations and to each resource/sub-resource of k8s. From now on, whenever the user would perform any type of operation on any resource/sub-resource, the webhook will get triggered.
The project is almost complete by this time and it could be used in production grade k8s cluster. In the next phase, my tasks would be is to integrate Casbin into:-
- Istio- It is an open source service mesh that layers transparently onto existing distributed applications.
- Kubesphere:- It is a distributed operating system for cloud-native application management, using Kubernetes as its kernel.
If anyone would like to contribute to Casbin or its related projects, you can go through the beginner issues, where a number of good first issues are present and can start contributing. If at all there are doubts regarding the projects or it’s use cases, you can join our gitter channel to clear those doubts.
I’m really excited for next phase. My next post will be the final phase article which will describe the overall journey and the learning which I have learned from this experience. I will also probably write a blog post describing the experience of both the GSoC and how it helped me to grow in a significant way. So stay tuned! and follow for more updates.
