apiserver: k8s.io/apiserver/plugin/pkg/authorizer/webhook Index | Files

package webhook

import "k8s.io/apiserver/plugin/pkg/authorizer/webhook"

Package webhook implements the authorizer.Authorizer interface using HTTP webhooks.


Package Files


func DefaultRetryBackoff Uses

func DefaultRetryBackoff() *wait.Backoff

DefaultRetryBackoff returns the default backoff parameters for webhook retry.

type WebhookAuthorizer Uses

type WebhookAuthorizer struct {
    // contains filtered or unexported fields

func New Uses

func New(kubeConfigFile string, version string, authorizedTTL, unauthorizedTTL time.Duration, retryBackoff wait.Backoff, customDial utilnet.DialFunc) (*WebhookAuthorizer, error)

New creates a new WebhookAuthorizer from the provided kubeconfig file. The config's cluster field is used to refer to the remote service, user refers to the returned authorizer.

# clusters refers to the remote service.
- name: name-of-remote-authz-service
    certificate-authority: /path/to/ca.pem      # CA for verifying the remote service.
    server: https://authz.example.com/authorize # URL of remote service to query. Must use 'https'.

# users refers to the API server's webhook configuration.
- name: name-of-api-server
    client-certificate: /path/to/cert.pem # cert for the webhook plugin to use
    client-key: /path/to/key.pem          # key matching the cert

For additional HTTP configuration, refer to the kubeconfig documentation https://kubernetes.io/docs/user-guide/kubeconfig-file/.

func NewFromInterface Uses

func NewFromInterface(subjectAccessReview authorizationv1client.SubjectAccessReviewInterface, authorizedTTL, unauthorizedTTL time.Duration, retryBackoff wait.Backoff) (*WebhookAuthorizer, error)

NewFromInterface creates a WebhookAuthorizer using the given subjectAccessReview client

func (*WebhookAuthorizer) Authorize Uses

func (w *WebhookAuthorizer) Authorize(ctx context.Context, attr authorizer.Attributes) (decision authorizer.Decision, reason string, err error)

Authorize makes a REST request to the remote service describing the attempted action as a JSON serialized api.authorization.v1beta1.SubjectAccessReview object. An example request body is provided below.

  "apiVersion": "authorization.k8s.io/v1beta1",
  "kind": "SubjectAccessReview",
  "spec": {
    "resourceAttributes": {
      "namespace": "kittensandponies",
      "verb": "GET",
      "group": "group3",
      "resource": "pods"
    "user": "jane",
    "group": [

The remote service is expected to fill the SubjectAccessReviewStatus field to either allow or disallow access. A permissive response would return:

  "apiVersion": "authorization.k8s.io/v1beta1",
  "kind": "SubjectAccessReview",
  "status": {
    "allowed": true

To disallow access, the remote service would return:

  "apiVersion": "authorization.k8s.io/v1beta1",
  "kind": "SubjectAccessReview",
  "status": {
    "allowed": false,
    "reason": "user does not have read access to the namespace"

TODO(mikedanese): We should eventually support failing closed when we encounter an error. We are failing open now to preserve backwards compatible behavior.

func (*WebhookAuthorizer) RulesFor Uses

func (w *WebhookAuthorizer) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error)

TODO: need to finish the method to get the rules when using webhook mode

Package webhook imports 18 packages (graph) and is imported by 116 packages. Updated 2021-01-09. Refresh now. Tools for package owners.