Documentation ¶
Overview ¶
Package webhook implements the authorizer.Authorizer interface using HTTP webhooks.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func DefaultRetryBackoff ¶
DefaultRetryBackoff returns the default backoff parameters for webhook retry.
Types ¶
type AuthorizerMetrics ¶
type AuthorizerMetrics struct { // RecordRequestTotal increments the total number of requests for the webhook authorizer RecordRequestTotal func(ctx context.Context, code string) // RecordRequestLatency measures request latency in seconds for webhooks. Broken down by status code. RecordRequestLatency func(ctx context.Context, code string, latency float64) }
AuthorizerMetrics specifies a set of methods that are used to register various metrics for the webhook authorizer
type WebhookAuthorizer ¶
type WebhookAuthorizer struct {
// contains filtered or unexported fields
}
func New ¶
func New(kubeConfigFile string, version string, authorizedTTL, unauthorizedTTL time.Duration, retryBackoff wait.Backoff, customDial utilnet.DialFunc) (*WebhookAuthorizer, error)
New creates a new WebhookAuthorizer from the provided kubeconfig file. The config's cluster field is used to refer to the remote service, user refers to the returned authorizer.
# clusters refers to the remote service. clusters: - name: name-of-remote-authz-service cluster: certificate-authority: /path/to/ca.pem # CA for verifying the remote service. server: https://authz.example.com/authorize # URL of remote service to query. Must use 'https'. # users refers to the API server's webhook configuration. users: - name: name-of-api-server user: client-certificate: /path/to/cert.pem # cert for the webhook plugin to use client-key: /path/to/key.pem # key matching the cert
For additional HTTP configuration, refer to the kubeconfig documentation https://kubernetes.io/docs/user-guide/kubeconfig-file/.
func NewFromInterface ¶
func NewFromInterface(subjectAccessReview authorizationv1client.AuthorizationV1Interface, authorizedTTL, unauthorizedTTL time.Duration, retryBackoff wait.Backoff, metrics AuthorizerMetrics) (*WebhookAuthorizer, error)
NewFromInterface creates a WebhookAuthorizer using the given subjectAccessReview client
func (*WebhookAuthorizer) Authorize ¶
func (w *WebhookAuthorizer) Authorize(ctx context.Context, attr authorizer.Attributes) (decision authorizer.Decision, reason string, err error)
Authorize makes a REST request to the remote service describing the attempted action as a JSON serialized api.authorization.v1beta1.SubjectAccessReview object. An example request body is provided below.
{ "apiVersion": "authorization.k8s.io/v1beta1", "kind": "SubjectAccessReview", "spec": { "resourceAttributes": { "namespace": "kittensandponies", "verb": "GET", "group": "group3", "resource": "pods" }, "user": "jane", "group": [ "group1", "group2" ] } }
The remote service is expected to fill the SubjectAccessReviewStatus field to either allow or disallow access. A permissive response would return:
{ "apiVersion": "authorization.k8s.io/v1beta1", "kind": "SubjectAccessReview", "status": { "allowed": true } }
To disallow access, the remote service would return:
{ "apiVersion": "authorization.k8s.io/v1beta1", "kind": "SubjectAccessReview", "status": { "allowed": false, "reason": "user does not have read access to the namespace" } }
TODO(mikedanese): We should eventually support failing closed when we encounter an error. We are failing open now to preserve backwards compatible behavior.
func (*WebhookAuthorizer) RulesFor ¶
func (w *WebhookAuthorizer) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error)
TODO: need to finish the method to get the rules when using webhook mode