Documentation

Overview

    Package webhook implements the authorizer.Authorizer interface using HTTP webhooks.

    Index

    Constants

    This section is empty.

    Variables

    This section is empty.

    Functions

    This section is empty.

    Types

    type WebhookAuthorizer

    type WebhookAuthorizer struct {
    	// contains filtered or unexported fields
    }

    func New

    func New(kubeConfigFile string, authorizedTTL, unauthorizedTTL time.Duration) (*WebhookAuthorizer, error)

      New creates a new WebhookAuthorizer from the provided kubeconfig file.

      The config's cluster field is used to refer to the remote service, user refers to the returned authorizer.

      # clusters refers to the remote service.
      clusters:
      - name: name-of-remote-authz-service
        cluster:
          certificate-authority: /path/to/ca.pem      # CA for verifying the remote service.
          server: https://authz.example.com/authorize # URL of remote service to query. Must use 'https'.
      
      # users refers to the API server's webhook configuration.
      users:
      - name: name-of-api-server
        user:
          client-certificate: /path/to/cert.pem # cert for the webhook plugin to use
          client-key: /path/to/key.pem          # key matching the cert
      

      For additional HTTP configuration, refer to the kubeconfig documentation http://kubernetes.io/v1.1/docs/user-guide/kubeconfig-file.html.

      func NewFromInterface

      func NewFromInterface(subjectAccessReview authorizationclient.SubjectAccessReviewInterface, authorizedTTL, unauthorizedTTL time.Duration) (*WebhookAuthorizer, error)

        NewFromInterface creates a WebhookAuthorizer using the given subjectAccessReview client

        func (*WebhookAuthorizer) Authorize

        func (w *WebhookAuthorizer) Authorize(attr authorizer.Attributes) (authorized bool, reason string, err error)

          Authorize makes a REST request to the remote service describing the attempted action as a JSON serialized api.authorization.v1beta1.SubjectAccessReview object. An example request body is provided bellow.

          {
            "apiVersion": "authorization.k8s.io/v1beta1",
            "kind": "SubjectAccessReview",
            "spec": {
              "resourceAttributes": {
                "namespace": "kittensandponies",
                "verb": "GET",
                "group": "group3",
                "resource": "pods"
              },
              "user": "jane",
              "group": [
                "group1",
                "group2"
              ]
            }
          }
          

          The remote service is expected to fill the SubjectAccessReviewStatus field to either allow or disallow access. A permissive response would return:

          {
            "apiVersion": "authorization.k8s.io/v1beta1",
            "kind": "SubjectAccessReview",
            "status": {
              "allowed": true
            }
          }
          

          To disallow access, the remote service would return:

          {
            "apiVersion": "authorization.k8s.io/v1beta1",
            "kind": "SubjectAccessReview",
            "status": {
              "allowed": false,
              "reason": "user does not have read access to the namespace"
            }
          }
          

          Source Files