webhook

package
v0.0.0-...-fb1d941 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 5, 2022 License: Apache-2.0 Imports: 20 Imported by: 0

Documentation

Overview

Package webhook implements the authorizer.Authorizer interface using HTTP webhooks.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func DefaultRetryBackoff

func DefaultRetryBackoff() *wait.Backoff

DefaultRetryBackoff returns the default backoff parameters for webhook retry.

Types

type AuthorizerMetrics

type AuthorizerMetrics struct {
	// RecordRequestTotal increments the total number of requests for the webhook authorizer
	RecordRequestTotal func(ctx context.Context, code string)

	// RecordRequestLatency measures request latency in seconds for webhooks. Broken down by status code.
	RecordRequestLatency func(ctx context.Context, code string, latency float64)
}

AuthorizerMetrics specifies a set of methods that are used to register various metrics for the webhook authorizer

type WebhookAuthorizer

type WebhookAuthorizer struct {
	// contains filtered or unexported fields
}

func New

func New(kubeConfigFile string, version string, authorizedTTL, unauthorizedTTL time.Duration, retryBackoff wait.Backoff, customDial utilnet.DialFunc) (*WebhookAuthorizer, error)

New creates a new WebhookAuthorizer from the provided kubeconfig file. The config's cluster field is used to refer to the remote service, user refers to the returned authorizer.

# clusters refers to the remote service.
clusters:
- name: name-of-remote-authz-service
  cluster:
    certificate-authority: /path/to/ca.pem      # CA for verifying the remote service.
    server: https://authz.example.com/authorize # URL of remote service to query. Must use 'https'.

# users refers to the API server's webhook configuration.
users:
- name: name-of-api-server
  user:
    client-certificate: /path/to/cert.pem # cert for the webhook plugin to use
    client-key: /path/to/key.pem          # key matching the cert

For additional HTTP configuration, refer to the kubeconfig documentation https://kubernetes.io/docs/user-guide/kubeconfig-file/.

func NewFromInterface

func NewFromInterface(subjectAccessReview authorizationv1client.AuthorizationV1Interface, authorizedTTL, unauthorizedTTL time.Duration, retryBackoff wait.Backoff, metrics AuthorizerMetrics) (*WebhookAuthorizer, error)

NewFromInterface creates a WebhookAuthorizer using the given subjectAccessReview client

func (*WebhookAuthorizer) Authorize

func (w *WebhookAuthorizer) Authorize(ctx context.Context, attr authorizer.Attributes) (decision authorizer.Decision, reason string, err error)

Authorize makes a REST request to the remote service describing the attempted action as a JSON serialized api.authorization.v1beta1.SubjectAccessReview object. An example request body is provided below.

{
  "apiVersion": "authorization.k8s.io/v1beta1",
  "kind": "SubjectAccessReview",
  "spec": {
    "resourceAttributes": {
      "namespace": "kittensandponies",
      "verb": "GET",
      "group": "group3",
      "resource": "pods"
    },
    "user": "jane",
    "group": [
      "group1",
      "group2"
    ]
  }
}

The remote service is expected to fill the SubjectAccessReviewStatus field to either allow or disallow access. A permissive response would return:

{
  "apiVersion": "authorization.k8s.io/v1beta1",
  "kind": "SubjectAccessReview",
  "status": {
    "allowed": true
  }
}

To disallow access, the remote service would return:

{
  "apiVersion": "authorization.k8s.io/v1beta1",
  "kind": "SubjectAccessReview",
  "status": {
    "allowed": false,
    "reason": "user does not have read access to the namespace"
  }
}

TODO(mikedanese): We should eventually support failing closed when we encounter an error. We are failing open now to preserve backwards compatible behavior.

func (*WebhookAuthorizer) RulesFor

TODO: need to finish the method to get the rules when using webhook mode

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL