garm

command module
v3.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 16, 2024 License: Apache-2.0 Imports: 11 Imported by: 0

README

Garm

GitHub release (latest by date) Docker Image Version (tag latest) Go Report Card GoDoc Contributor Covenant

logo

What is Garm

concept

Garm implements the Kubernetes authorization webhook interface to provide access control on your K8s resources with Athenz RBAC policy. It allows flexible resource mapping from K8s resources to Athenz ones, mutli-tenancy, and black/white list.

By default, Garm replies the native Kubernetes authentication for authorization. However, it also supports the Kubernetes authentication webhook. Using the authentication hook requires Athenz to be able to sign tokens for users.

Requires go 1.18 or later.

Use Case

Authorization

use case

  1. K8s webhook request (SubjectAccessReview) (Webhook Mode - Kubernetes)
    • the K8s API server wants to know if the user is allowed to do the requested action
  2. Athenz RBAC request (Athenz)
    • Athenz server contains the user authorization information for access control
    • ask Athenz server is the user action is allowed based on pre-configured policy

Garm convert the K8s request to Athenz request based on the mapping rules in config.yaml (example).

P.S. It is just a sample deployment solution above. Garm can work on any environment as long as it can access both the API server and the Athenz server.

Docker
$ docker pull docker.io/athenz/garm
Usage

About releases

  • Releases
    • GitHub release (latest by date)
    • Docker Image Version (tag latest)

Documentation

The Go Gopher

There is no documentation for this package.

Directories

Path Synopsis
Package config defines all configuration of Garm.
Package config defines all configuration of Garm.
Package handler provides an interface to handle K8s webhook requests, including authentication and authorization requests.
Package handler provides an interface to handle K8s webhook requests, including authentication and authorization requests.
Package log manages the interface for Garm application logger.
Package log manages the interface for Garm application logger.
Package router routes HTTP requests to corresponding handler.
Package router routes HTTP requests to corresponding handler.
TODO: This code is based on athenz/k8s-athenz-sia's implementation: TODO: https://github.com/AthenZ/k8s-athenz-sia/blob/main/pkg/util/cert-reloader.go TODO: Yet, the original code is tailored specifically to k8s-athenz-sia's logic TODO: So we could not copy the k8s-athenz-sia's cert-reloader code as is.
TODO: This code is based on athenz/k8s-athenz-sia's implementation: TODO: https://github.com/AthenZ/k8s-athenz-sia/blob/main/pkg/util/cert-reloader.go TODO: Yet, the original code is tailored specifically to k8s-athenz-sia's logic TODO: So we could not copy the k8s-athenz-sia's cert-reloader code as is.
third_party
webhook
Package webhook provides the handlers and customization points for implementing a K8s webhook for authentication and authorization using Athenz.
Package webhook provides the handlers and customization points for implementing a K8s webhook for authentication and authorization using Athenz.
Package usecase provides the Garm daemon implementation.
Package usecase provides the Garm daemon implementation.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL