Proposal: Integrate Gatekeeper and Casbin into KubeSphere

Created by: sagilio

Background

PodSecurityPolicy (PSP) has been stuck in beta since it was introduced in Kubernetes 1.3 and now it is being deprecated in Kubernetes 1.21, this starts the countdown to its removal.

Kubernetes also allows decoupling policy decisions from the inner workings of the API Server by means of admission controller webhooks, which are executed whenever a resource is created, updated or deleted, So we can use some third-party controllers to instead it.

Proposal

Gatekeeper is a validating (mutating TBA) webhook that enforces CRD-based policies executed by Open Policy Agent. We can integrate Gatekeeper to KubeSphere, and manage the common rules and policies through CRD.

Casbin is an authorization library that supports access control models like ACL, RBAC, ABAC and has many users, and the casbin community will do the best to support this feature. Trace issue: https://github.com/casbin/kubesphere-authz/issues/4

I think this feature can support these points:

• Users can add, edit, delete, enable and disable some admission policy at KubeSphere Console, like whether allow privilege container and trusted image repository, etc.
• Users can receive the rejection notification on the KubeSphere Console.
• Users can select the third-party controllers on config.

What things do we need to do?

• https://github.com/kubesphere/ks-installer/issues/1633
• Integrate Casbin into ks-installer
• Add admission policy management APIs
• Handle admission validate error on request chains
• Add admission policy management UI to ks-console

/area security /kind proposal