feat: design k8s admission policy controller with casbin #1
Description
We will define a k8s-native admission policy controller that is easy to install and operate.
- unify crd-based policy storage and informer watcher to manage k8s resource policies
- implement admission webhook for create and update operations, querying casbin models for allow or deny decisions
- provide rule templates for pod security, image tag validation, resource quotas and namespace isolation scenarios
- add dry-run mode, audit of existing resources and metrics to support safe rollout and operational visibility
- package helm charts and a cli tool for installation and include ci benchmarks to guard performance and correctness
need to have code (apache header year is 2026) and unit tests
need to have CI (use semantic-release and below trigger)
To:
on:
push:
branches:
- master
pull_request:
branches:
- masterCI only needs to run against Go 1.23.0
need to have a README (with badges) and quickstart examples