|
1 | 1 | # spicedb-kubeapi-proxy |
2 | 2 |
|
3 | | -Runs a proxy in front of kube-apiserver that can authorize requests and filter |
4 | | -responses using an embedded or remote SpiceDB. |
| 3 | +`spicedb-kubeapi-proxy` is a proxy that runs in between clients and the kube |
| 4 | +apiserver that can authorize requests and filter responses using an embedded or |
| 5 | +remote SpiceDB. |
| 6 | + |
| 7 | +## Status |
| 8 | + |
| 9 | +The [issues](https://github.com/authzed/spicedb-kubeapi-proxy/issues) track |
| 10 | +the current state of the project, but the primary goals before 1.0 are: |
| 11 | + |
| 12 | +- Stabilizing the API for configuring proxy rules |
| 13 | +- Gaining operational experience and proving the system in production |
| 14 | + |
| 15 | +## Features |
| 16 | + |
| 17 | +- 🚀 Authorize any request to the Kubernetes cluster based on data in SpiceDB |
| 18 | +- ✨ Filter responses (including lists) from the kubernetes cluster based on data in SpiceDB |
| 19 | +- 🌶️ Write to both SpiceDB and Kubernetes in a single transaction (durably) |
| 20 | +- 🪩 Use different user authentication in the proxy than you do in the base cluster |
| 21 | +- 🎉 No syncing between SpiceDB and Kubernetes is required |
| 22 | +- 🔒 Does not require admin permissions in the base cluster |
| 23 | +- 📦 Run the proxy in-cluster or out-of-cluster |
| 24 | +- 📡 Use an embedded SpiceDB or a remote SpiceDB |
| 25 | +- 📜 Configure with a variety of different rules to control access to the cluster |
| 26 | +- 📊 Metrics and tracing support |
| 27 | + |
| 28 | +## Architecture |
| 29 | + |
| 30 | + |
| 31 | + |
| 32 | +The proxy authenticates itself with the downstream kube-apiserver (client certs |
| 33 | +if running out-of-cluster, service account token if running in-cluster). |
| 34 | +The proxy is configured with a set of rules that define how to authorize requests |
| 35 | +and how to filter responses by communicating with SpiceDB. |
| 36 | + |
| 37 | +There are three basic types of rule: |
| 38 | + |
| 39 | +- **Check** rules: these are used to authorize whether a request is allowed to |
| 40 | + proceed at all. For example, a rule might say that a user can only list pods |
| 41 | + in a namespace `foo` if they have a `namespace:foo#list@user:alice` permission |
| 42 | + in SpiceDB. |
| 43 | +- **Filter** rules: these are used to filter the response from the kube-apiserver |
| 44 | + based on the data in SpiceDB. For example, a rule might say that a user can |
| 45 | + only see the pods in namespace `foo` if there are corresponding relationships |
| 46 | + in SpiceDB that enumerate the allowed pods, like `pod:foo/a#view@user:alice` |
| 47 | + and `pod:foo/b#view@user:alice`. In this example, `alice` would see pods `a` |
| 48 | + and `b` in namespace `foo`, but no others. |
| 49 | +- **Write** rules: these are used to write data to SpiceDB based on the request |
| 50 | + that the proxy is authorizing. For example, if `alice` creates a new pod `c` |
| 51 | + in namespace `foo`, a rule can determine that a relationship should be written |
| 52 | + to SpiceDB that grants ownership, i.e. `pod:foo/a#view@user:alice`. |
| 53 | + |
| 54 | +Rules often work in tendem; for example, a `Check` rule might authorize a request |
| 55 | +to list pods in a namespace, and a `Filter` rule might further restrict the |
| 56 | +response to only include certain pods. |
| 57 | + |
| 58 | +Note that the proxy does not assume anything about the structure of the data in |
| 59 | +SpiceDB. It is up to the user to define the data in SpiceDB and the rules that |
| 60 | +the proxy uses to authorize and filter requests. |
| 61 | + |
| 62 | +The proxy rejects any request for which it doesn't find a matching rule. |
5 | 63 |
|
6 | 64 | # Development |
7 | 65 |
|
|
0 commit comments