Documentation
¶
Overview ¶
Package webhook implements the authorizer.Authorizer interface using HTTP webhooks.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func DefaultRetryBackoff ¶ added in v0.20.0
func DefaultRetryBackoff() *wait.Backoff
DefaultRetryBackoff returns the default backoff parameters for webhook retry.
Types ¶
type AuthorizerMetrics ¶ added in v0.22.0
type AuthorizerMetrics struct {
// RecordRequestTotal increments the total number of requests for the webhook authorizer
RecordRequestTotal func(ctx context.Context, code string)
// RecordRequestLatency measures request latency in seconds for webhooks. Broken down by status code.
RecordRequestLatency func(ctx context.Context, code string, latency float64)
}
AuthorizerMetrics specifies a set of methods that are used to register various metrics for the webhook authorizer
type WebhookAuthorizer ¶
type WebhookAuthorizer struct {
// contains filtered or unexported fields
}
func New ¶
func New(config *rest.Config, version string, authorizedTTL, unauthorizedTTL time.Duration, retryBackoff wait.Backoff, decisionOnError authorizer.Decision, matchConditions []apiserver.WebhookMatchCondition) (*WebhookAuthorizer, error)
New creates a new WebhookAuthorizer from the provided kubeconfig file. The config's cluster field is used to refer to the remote service, user refers to the returned authorizer.
# clusters refers to the remote service.
clusters:
- name: name-of-remote-authz-service
cluster:
certificate-authority: /path/to/ca.pem # CA for verifying the remote service.
server: https://authz.example.com/authorize # URL of remote service to query. Must use 'https'.
# users refers to the API server's webhook configuration.
users:
- name: name-of-api-server
user:
client-certificate: /path/to/cert.pem # cert for the webhook plugin to use
client-key: /path/to/key.pem # key matching the cert
For additional HTTP configuration, refer to the kubeconfig documentation https://kubernetes.io/docs/user-guide/kubeconfig-file/.
func NewFromInterface ¶
func NewFromInterface(subjectAccessReview authorizationv1client.AuthorizationV1Interface, authorizedTTL, unauthorizedTTL time.Duration, retryBackoff wait.Backoff, decisionOnError authorizer.Decision, metrics AuthorizerMetrics) (*WebhookAuthorizer, error)
NewFromInterface creates a WebhookAuthorizer using the given subjectAccessReview client
func (*WebhookAuthorizer) Authorize ¶
func (w *WebhookAuthorizer) Authorize(ctx context.Context, attr authorizer.Attributes) (decision authorizer.Decision, reason string, err error)
Authorize makes a REST request to the remote service describing the attempted action as a JSON serialized api.authorization.v1beta1.SubjectAccessReview object. An example request body is provided below.
{
"apiVersion": "authorization.k8s.io/v1beta1",
"kind": "SubjectAccessReview",
"spec": {
"resourceAttributes": {
"namespace": "kittensandponies",
"verb": "GET",
"group": "group3",
"resource": "pods"
},
"user": "jane",
"group": [
"group1",
"group2"
]
}
}
The remote service is expected to fill the SubjectAccessReviewStatus field to either allow or disallow access. A permissive response would return:
{
"apiVersion": "authorization.k8s.io/v1beta1",
"kind": "SubjectAccessReview",
"status": {
"allowed": true
}
}
To disallow access, the remote service would return:
{
"apiVersion": "authorization.k8s.io/v1beta1",
"kind": "SubjectAccessReview",
"status": {
"allowed": false,
"reason": "user does not have read access to the namespace"
}
}
TODO(mikedanese): We should eventually support failing closed when we encounter an error. We are failing open now to preserve backwards compatible behavior.
Source Files