Skip to content

casbin/casbin-crd-adapter

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
.github/workflows
.github/workflows
 
 
examples
examples
 
 
testdata
testdata
 
 
.gitignore
.gitignore
 
 
.golangci.yml
.golangci.yml
 
 
.releaserc.json
.releaserc.json
 
 
CHANGELOG.md
CHANGELOG.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
adapter.go
adapter.go
 
 
adapter_test.go
adapter_test.go
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 

Repository files navigation

Casbin CRD Adapter

Go Report Card CI Coverage Status GoDoc Release Discord

A Kubernetes Custom Resource Definition (CRD) adapter for Casbin. With this adapter, Casbin can load policy rules from Kubernetes Custom Resources instead of traditional databases.

Features

  • Read-Only Adapter: Designed to keep Kubernetes CRDs as the single source of truth for policies
  • Namespace-Scoped and Cluster-Scoped: Supports both namespace-scoped and cluster-scoped policy resources
  • Duplicate Handling: Automatically deduplicates policies when loading from multiple CRs
  • Deterministic Ordering: Ensures consistent policy loading order across multiple invocations
  • RBAC Support: Handles both permission rules (p) and role/group bindings (g)
  • No Database Required: Eliminates the need for external database dependencies at runtime

Installation

go get github.com/casbin/casbin-crd-adapter

CRD Schema

The adapter expects CasbinPolicy custom resources with the following structure:

apiVersion: casbin.org/v1alpha1
kind: CasbinPolicy
metadata:
  name: example-policy
  namespace: default  # optional, omit for cluster-scoped
spec:
  policyType: p  # or "g" for grouping policies
  rules:
    - values: ["alice", "data1", "read"]
    - values: ["bob", "data2", "write"]

Policy Types

  • p: Permission policies (who can do what on which resource)
  • g: Grouping policies (role/group bindings)

Usage

Basic Usage (Namespace-Scoped)

package main

import (
	"log"

	"github.com/casbin/casbin/v3"
	crdadapter "github.com/casbin/casbin-crd-adapter"
)

func main() {
	// Create adapter for namespace-scoped policies
	adapter, err := crdadapter.NewAdapter("default")
	if err != nil {
		log.Fatal(err)
	}

	// Create enforcer with the adapter
	e, err := casbin.NewEnforcer("model.conf", adapter)
	if err != nil {
		log.Fatal(err)
	}

	// Use the enforcer
	ok, err := e.Enforce("alice", "data1", "read")
	if err != nil {
		log.Fatal(err)
	}
	log.Printf("Alice can read data1: %v", ok)
}

Cluster-Scoped Usage

// Create adapter for cluster-scoped policies
adapter, err := crdadapter.NewAdapter("")
if err != nil {
	log.Fatal(err)
}

Using with Fake Client (for Testing)

import (
	"k8s.io/apimachinery/pkg/runtime"
	"k8s.io/client-go/dynamic/fake"
	crdadapter "github.com/casbin/casbin-crd-adapter"
)

func TestWithFakeClient() {
	scheme := runtime.NewScheme()
	client := fake.NewSimpleDynamicClient(scheme)
	
	adapter := crdadapter.NewAdapterWithClient(client, "default")
	
	e, err := casbin.NewEnforcer("model.conf", adapter)
	// ...
}

Example CRD Definitions

Permission Policy

apiVersion: casbin.org/v1alpha1
kind: CasbinPolicy
metadata:
  name: user-permissions
  namespace: default
spec:
  policyType: p
  rules:
    - values: ["alice", "data1", "read"]
    - values: ["alice", "data1", "write"]
    - values: ["bob", "data2", "write"]

Role/Group Bindings

apiVersion: casbin.org/v1alpha1
kind: CasbinPolicy
metadata:
  name: role-bindings
  namespace: default
spec:
  policyType: g
  rules:
    - values: ["alice", "admin"]
    - values: ["bob", "developer"]

RBAC Model Example

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[role_definition]
g = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act

Write Operations

This adapter is read-only by design. All write operations (SavePolicy, AddPolicy, RemovePolicy, RemoveFilteredPolicy) will return ErrWriteNotSupported.

To modify policies, update the Kubernetes CRD resources directly using kubectl or the Kubernetes API:

# Apply a new policy
kubectl apply -f policy.yaml

# Update existing policy
kubectl edit casbinpolicy example-policy -n default

# Delete a policy
kubectl delete casbinpolicy example-policy -n default

How It Works

  1. The adapter connects to the Kubernetes API server (either in-cluster or via kubeconfig)
  2. It lists all CasbinPolicy custom resources (filtered by namespace if specified)
  3. Policies are sorted deterministically by namespace, name, and policy type
  4. Duplicate policies are automatically removed
  5. Policies are loaded into the Casbin enforcer

Testing

Run the test suite:

go test -v ./...

With coverage:

go test -v -race -coverprofile=coverage.txt -covermode=atomic ./...

Development

Prerequisites

  • Go 1.23.0 or higher
  • Access to a Kubernetes cluster (for integration testing)

Building

go build ./...

Running Tests

go test ./...

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

License

This project is licensed under the Apache 2.0 License - see the LICENSE file for details.

Related Projects

  • Casbin - An authorization library that supports access control models like ACL, RBAC, ABAC
  • gorm-adapter - GORM adapter for Casbin
  • ent-adapter - Ent adapter for Casbin

Support

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases 1

v1.0.0 Latest
Jan 10, 2026

Sponsor this project

 
Learn more about GitHub Sponsors

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages