Package webhook implements the authorizer.Authorizer interface using HTTP webhooks.



    This section is empty.


    This section is empty.


    This section is empty.


    type WebhookAuthorizer

    type WebhookAuthorizer struct {
    	// contains filtered or unexported fields

    func New

    func New(kubeConfigFile string, authorizedTTL, unauthorizedTTL time.Duration) (*WebhookAuthorizer, error)

      New creates a new WebhookAuthorizer from the provided kubeconfig file.

      The config's cluster field is used to refer to the remote service, user refers to the returned authorizer.

      # clusters refers to the remote service.
      - name: name-of-remote-authz-service
          certificate-authority: /path/to/ca.pem      # CA for verifying the remote service.
          server: # URL of remote service to query. Must use 'https'.
      # users refers to the API server's webhook configuration.
      - name: name-of-api-server
          client-certificate: /path/to/cert.pem # cert for the webhook plugin to use
          client-key: /path/to/key.pem          # key matching the cert

      For additional HTTP configuration, refer to the kubeconfig documentation

      func NewFromInterface

      func NewFromInterface(subjectAccessReview authorizationclient.SubjectAccessReviewInterface, authorizedTTL, unauthorizedTTL time.Duration) (*WebhookAuthorizer, error)

        NewFromInterface creates a WebhookAuthorizer using the given subjectAccessReview client

        func (*WebhookAuthorizer) Authorize

        func (w *WebhookAuthorizer) Authorize(attr authorizer.Attributes) (decision authorizer.Decision, reason string, err error)

          Authorize makes a REST request to the remote service describing the attempted action as a JSON serialized api.authorization.v1beta1.SubjectAccessReview object. An example request body is provided below.

            "apiVersion": "",
            "kind": "SubjectAccessReview",
            "spec": {
              "resourceAttributes": {
                "namespace": "kittensandponies",
                "verb": "GET",
                "group": "group3",
                "resource": "pods"
              "user": "jane",
              "group": [

          The remote service is expected to fill the SubjectAccessReviewStatus field to either allow or disallow access. A permissive response would return:

            "apiVersion": "",
            "kind": "SubjectAccessReview",
            "status": {
              "allowed": true

          To disallow access, the remote service would return:

            "apiVersion": "",
            "kind": "SubjectAccessReview",
            "status": {
              "allowed": false,
              "reason": "user does not have read access to the namespace"

          TODO(mikedanese): We should eventually support failing closed when we encounter an error. We are failing open now to preserve backwards compatible behavior.

          func (*WebhookAuthorizer) RulesFor

            TODO: need to finish the method to get the rules when using webhook mode

            Source Files