kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
website/docs/admin/authorization/webhook.md

149 lines
4.4 KiB
Markdown
Raw Normal View History

Reimplement #3770
2017-05-23 21:10:17 +00:00
---
Rename OWNERS assignees: to approvers: They are effectively the same, assignees is deprecated
2017-08-03 23:22:52 +00:00
approvers:
Reimplement #3770
2017-05-23 21:10:17 +00:00
- erictune
- lavalamp
- deads2k
- liggitt
title: Webhook Mode
---
{% capture overview %}
A WebHook is an HTTP callback: an HTTP POST that occurs when something happens; a simple event-notification via HTTP POST. A web application implementing WebHooks will POST a message to a URL when certain things happen.
{% endcapture %}
{% capture body %}
When specified, mode `Webhook` causes Kubernetes to query an outside REST
service when determining user privileges.
## Configuration File Format
Mode `Webhook` requires a file for HTTP configuration, specify by the
`--authorization-webhook-config-file=SOME_FILENAME` flag.
The configuration file uses the [kubeconfig](/docs/concepts/cluster-administration/authenticate-across-clusters-kubeconfig/)
file format. Within the file "users" refers to the API Server webhook and
"clusters" refers to the remote service.
A configuration example which uses HTTPS client auth:
```yaml
# clusters refers to the remote service.
clusters:
- name: name-of-remote-authz-service
cluster:
certificate-authority: /path/to/ca.pem # CA for verifying the remote service.
server: https://authz.example.com/authorize # URL of remote service to query. Must use 'https'.
# users refers to the API Server's webhook configuration.
users:
- name: name-of-api-server
user:
client-certificate: /path/to/cert.pem # cert for the webhook plugin to use
client-key: /path/to/key.pem # key matching the cert
# kubeconfig files require a context. Provide one for the API Server.
current-context: webhook
contexts:
- context:
cluster: name-of-remote-authz-service
user: name-of-api-server
name: webhook
```
## Request Payloads
When faced with an authorization decision, the API Server POSTs a JSON
serialized api.authorization.v1beta1.SubjectAccessReview object describing the
action. This object contains fields describing the user attempting to make the
request, and either details about the resource being accessed or requests
attributes.
Note that webhook API objects are subject to the same [versioning compatibility rules](/docs/api/)
as other Kubernetes API objects. Implementers should be aware of looser
compatibility promises for beta objects and check the "apiVersion" field of the
request to ensure correct deserialization. Additionally, the API Server must
enable the `authorization.k8s.io/v1beta1` API extensions group (`--runtime-config=authorization.k8s.io/v1beta1=true`).
An example request body:
```json
{
"apiVersion": "authorization.k8s.io/v1beta1",
"kind": "SubjectAccessReview",
"spec": {
"resourceAttributes": {
"namespace": "kittensandponies",
"verb": "get",
"group": "unicorn.example.org",
"resource": "pods"
},
"user": "jane",
"group": [
"group1",
"group2"
]
}
}
```
Fix Typo - "SubjectAccessReviewStatus" -> "status" - "SubjectAccessReview" is the value of the "kind" field of the request and response. The webhook has to fill in the "status" field to indicate authorization passed or failed. - For consistency highlight spec better using back ticks
2017-07-27 14:58:03 +00:00
The remote service is expected to fill the `status` field of
Reimplement #3770
2017-05-23 21:10:17 +00:00
the request and respond to either allow or disallow access. The response body's
Fix Typo - "SubjectAccessReviewStatus" -> "status" - "SubjectAccessReview" is the value of the "kind" field of the request and response. The webhook has to fill in the "status" field to indicate authorization passed or failed. - For consistency highlight spec better using back ticks
2017-07-27 14:58:03 +00:00
`spec` field is ignored and may be omitted. A permissive response would return:
Reimplement #3770
2017-05-23 21:10:17 +00:00
```json
{
"apiVersion": "authorization.k8s.io/v1beta1",
"kind": "SubjectAccessReview",
"status": {
"allowed": true
}
}
```
To disallow access, the remote service would return:
```json
{
"apiVersion": "authorization.k8s.io/v1beta1",
"kind": "SubjectAccessReview",
"status": {
"allowed": false,
"reason": "user does not have read access to the namespace"
}
}
```
Access to non-resource paths are sent as:
```json
{
"apiVersion": "authorization.k8s.io/v1beta1",
"kind": "SubjectAccessReview",
"spec": {
"nonResourceAttributes": {
"path": "/debug",
"verb": "get"
},
"user": "jane",
"group": [
"group1",
"group2"
]
}
}
```
Non-resource paths include: `/api`, `/apis`, `/metrics`, `/resetMetrics`,
`/logs`, `/debug`, `/healthz`, `/swagger-ui/`, `/swaggerapi/`, `/ui`, and
`/version.` Clients require access to `/api`, `/api/*`, `/apis`, `/apis/*`,
and `/version` to discover what resources and versions are present on the server.
Access to other non-resource paths can be disallowed without restricting access
to the REST api.
For further documentation refer to the authorization.v1beta1 API objects and
Update webhook.md (#4790) * Update webhook.md update link to webhook.go source file * Update webhook.md
2017-08-12 16:31:43 +00:00
[webhook.go](https://github.com/kubernetes/kubernetes/blob/{{page.githubbranch}}/staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook.go).
Reimplement #3770
2017-05-23 21:10:17 +00:00
{% endcapture %}
[authorization] fix invalid href for webhook
2017-06-05 03:42:13 +00:00
{% include templates/concept.md %}