Documentation ¶
Overview ¶
Package webhook implements the authorizer.Authorizer interface using HTTP webhooks.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type WebhookAuthorizer ¶
type WebhookAuthorizer struct {
// contains filtered or unexported fields
}
func New ¶
func New(kubeConfigFile string, authorizedTTL, unauthorizedTTL time.Duration) (*WebhookAuthorizer, error)
New creates a new WebhookAuthorizer from the provided kubeconfig file.
The config's cluster field is used to refer to the remote service, user refers to the returned authorizer.
# clusters refers to the remote service. clusters: - name: name-of-remote-authz-service cluster: certificate-authority: /path/to/ca.pem # CA for verifying the remote service. server: https://authz.example.com/authorize # URL of remote service to query. Must use 'https'. # users refers to the API server's webhook configuration. users: - name: name-of-api-server user: client-certificate: /path/to/cert.pem # cert for the webhook plugin to use client-key: /path/to/key.pem # key matching the cert
For additional HTTP configuration, refer to the kubeconfig documentation http://kubernetes.io/v1.1/docs/user-guide/kubeconfig-file.html.
func NewFromInterface ¶
func NewFromInterface(subjectAccessReview authorizationclient.SubjectAccessReviewInterface, authorizedTTL, unauthorizedTTL time.Duration) (*WebhookAuthorizer, error)
NewFromInterface creates a WebhookAuthorizer using the given subjectAccessReview client
func (*WebhookAuthorizer) Authorize ¶
func (w *WebhookAuthorizer) Authorize(attr authorizer.Attributes) (authorized bool, reason string, err error)
Authorize makes a REST request to the remote service describing the attempted action as a JSON serialized api.authorization.v1beta1.SubjectAccessReview object. An example request body is provided bellow.
{ "apiVersion": "authorization.k8s.io/v1beta1", "kind": "SubjectAccessReview", "spec": { "resourceAttributes": { "namespace": "kittensandponies", "verb": "GET", "group": "group3", "resource": "pods" }, "user": "jane", "group": [ "group1", "group2" ] } }
The remote service is expected to fill the SubjectAccessReviewStatus field to either allow or disallow access. A permissive response would return:
{ "apiVersion": "authorization.k8s.io/v1beta1", "kind": "SubjectAccessReview", "status": { "allowed": true } }
To disallow access, the remote service would return:
{ "apiVersion": "authorization.k8s.io/v1beta1", "kind": "SubjectAccessReview", "status": { "allowed": false, "reason": "user does not have read access to the namespace" } }