
Show HN: Kubernetes Permission Manager, Free and OSS Tool to Manage RBAC/Users - jnardiello
https://github.com/sighupio/permission-manager
======
charlieegan3
It might be good to clarify your expected users.

Most Kubernetes users I have worked with integrated with some cloud provider
auth or similar to grant permissions to Kubernetes resources.

I can see this being useful for smaller deployments or when such integrations
are unavailable but it might be worth explaining that in the readme of the
project.

Also, how do you see this working in the config as code / ‘gitops’ world? How
does this work for clusters in different environments?

~~~
jnardiello
You are entirely correct, we started this project as an internal tool to be
used in any environment where no integration with IAM/OIDC/LDAP/AD/etc.. was
available (we handle LOTS of clusters and many of them are in this situation).

So, this is mostly recommended (as you said) for smaller projects/teams/orgs
but we figured out this would still be useful to many so we just open sourced
it.

It's also entirely true that you can use it in any cluster, as Kubernetes
under the hood does NOT have any concept of "user" it's just a bunch of
certificates with some roles attached, so you can actually deploy it anywhere
and you can use to release certs on the fly for your users.

As for gitops, that's a great questions we got asked a few times today. It's
just no there right now, this is a nice web ui wrapping RBAC primitives. We'll
surely be working on it soon.

Hopefully, this was clear. Let me know if you have more questions.

------
znpy
Thanks, this solves a very important problem in the k8s ecosystem.

For me personally, I've spent the weekends of the last two months learning
ldap basics only to find out that k8s+ldap is another mess on its own.

------
benwilson-512
This looks very cool. Is there a story for managing users associated with AWS
IAM roles or users?

------
aliljet
This is honestly pretty fantastic. How does this compare with things like
Dex+Gangway?

~~~
jnardiello
Entirely different use-case. This is a simplified way to create new users,
templates and distribute certificates to access a cluster. It does NOT
integrate with external ldaps/ad/etc..

------
streetcat1
so, can you compare this to the OPA? Are you integrating with the OPA?

Also, there was an old project called casbin which is used by ArgoCD.

In my system, I created an Account CRD and let an account controller do all
the logic. This way you do not need another api server.

~~~
jnardiello
Not related to OPA. This is not an admission webhook, nor deals with
gatekeeper and such, it does not enforce policies. It's a simple abstraction
on the certs creation mechanisms and native Kubernetes RBAC.

