webhook

package
v1.4.9-beta.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 12, 2017 License: Apache-2.0 Imports: 11 Imported by: 0

Documentation

Overview

Package webhook implements the authorizer.Authorizer interface using HTTP webhooks.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type WebhookAuthorizer

type WebhookAuthorizer struct {
	*webhook.GenericWebhook
	// contains filtered or unexported fields
}

func New

func New(kubeConfigFile string, authorizedTTL, unauthorizedTTL time.Duration) (*WebhookAuthorizer, error)

New creates a new WebhookAuthorizer from the provided kubeconfig file.

The config's cluster field is used to refer to the remote service, user refers to the returned authorizer.

# clusters refers to the remote service.
clusters:
- name: name-of-remote-authz-service
  cluster:
    certificate-authority: /path/to/ca.pem      # CA for verifying the remote service.
    server: https://authz.example.com/authorize # URL of remote service to query. Must use 'https'.

# users refers to the API server's webhook configuration.
users:
- name: name-of-api-server
  user:
    client-certificate: /path/to/cert.pem # cert for the webhook plugin to use
    client-key: /path/to/key.pem          # key matching the cert

For additional HTTP configuration, refer to the kubeconfig documentation http://kubernetes.io/v1.1/docs/user-guide/kubeconfig-file.html.

func (*WebhookAuthorizer) Authorize

func (w *WebhookAuthorizer) Authorize(attr authorizer.Attributes) (authorized bool, reason string, err error)

Authorize makes a REST request to the remote service describing the attempted action as a JSON serialized api.authorization.v1beta1.SubjectAccessReview object. An example request body is provided bellow.

{
  "apiVersion": "authorization.k8s.io/v1beta1",
  "kind": "SubjectAccessReview",
  "spec": {
    "resourceAttributes": {
      "namespace": "kittensandponies",
      "verb": "GET",
      "group": "group3",
      "resource": "pods"
    },
    "user": "jane",
    "group": [
      "group1",
      "group2"
    ]
  }
}

The remote service is expected to fill the SubjectAccessReviewStatus field to either allow or disallow access. A permissive response would return:

{
  "apiVersion": "authorization.k8s.io/v1beta1",
  "kind": "SubjectAccessReview",
  "status": {
    "allowed": true
  }
}

To disallow access, the remote service would return:

{
  "apiVersion": "authorization.k8s.io/v1beta1",
  "kind": "SubjectAccessReview",
  "status": {
    "allowed": false,
    "reason": "user does not have read access to the namespace"
  }
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL