Kudo is a Kubernetes controller that allows individual users to temporarily escalate their permissions while still maintaining security and crystal clear auditability.

It comes in complement of existing access control systems (Kubernetes RBAC, GCP IAM), and relies on them to temporarily grant or reclaim permissions. In the context of Kubernetes, Kudo temporarily creates a RoleBinding or a ClusterRoleBinding between an existing role and the escalation requestor.

To gain a better understanding of what Kudo is, you can refer to the Kudo website

This is a toy project at the moment, please do not try to use it in that state as It can be dangerous from a security standpoint and I don't provide support in any case.

Though, if you like the idea, please let me know!

The kudo project pretty much carries all what I have in mind for kudo. Feel free to pick a task in the TODO column.

Here's a list of tools you need to have installed to run your development environment.

• go1.19
• k3d
• ko
• helm
• kubectl
• OpenSSL
• (For the documentation) hugo

You need to have both kudo-registry.localhost and kudo-e2e-registry.localhost configured to resolve to 127.0.0.1 in your development environment.

The following command line spins up a k3d cluster, provision necessary resources and install your current tree version of kudo in the cluster.

make run_dev

To simulate an escalation. This will switch your current kubectl context to the kudo test user, create the permission, then switch back to the admin context.

make escalate_dev

To display the controller logs

make logs_dev

When you're done:

make stop_dev

And if you're in need

make help

• make unit_tests runs the unit test suite, ie all the tests defined in package.
• make e2e_tests runs the end to end test suite, which simulate real kudo use cases. The test suite lives under the ./e2e directory.

• make serve_docs starts a local webserver. You can then go to http://localhost:1313/kudo to check your local doc.