Webhook Mode

    When specified, mode causes Kubernetes to query an outside REST service when determining user privileges.

    Mode Webhook requires a file for HTTP configuration, specify by the --authorization-webhook-config-file=SOME_FILENAME flag.

    The configuration file uses the kubeconfig file format. Within the file “users” refers to the API Server webhook and “clusters” refers to the remote service.

    A configuration example which uses HTTPS client auth:

    Request Payloads

    Note that webhook API objects are subject to the same versioning compatibility rules as other Kubernetes API objects. Implementers should be aware of looser compatibility promises for beta objects and check the “apiVersion” field of the request to ensure correct deserialization. Additionally, the API Server must enable the authorization.k8s.io/v1beta1 API extensions group (--runtime-config=authorization.k8s.io/v1beta1=true).

    An example request body:

    1. {
    2.   "apiVersion": "authorization.k8s.io/v1beta1",
    3.   "kind": "SubjectAccessReview",
    4.   "spec": {
    5.     "resourceAttributes": {
    6.       "namespace": "kittensandponies",
    7.       "verb": "get",
    8.       "group": "unicorn.example.org",
    9.       "resource": "pods"
    10.     },
    11.     "user": "jane",
    12.       "group1",
    13.       "group2"
    15.   }
    16. }

    The remote service is expected to fill the status field of the request and respond to either allow or disallow access. The response body’s spec field is ignored and may be omitted. A permissive response would return:

    For disallowing access there are two methods.

    1. {
    2.   "apiVersion": "authorization.k8s.io/v1beta1",
    3.   "kind": "SubjectAccessReview",
    4.   "status": {
    5.     "allowed": false,
    6.     "reason": "user does not have read access to the namespace"
    7.   }
    8. }

    The second method denies immediately, short-circuiting evaluation by other configured authorizers. This should only be used by webhooks that have detailed knowledge of the full authorizer configuration of the cluster. The webhook would return:

    Access to non-resource paths are sent as:

    1.   "apiVersion": "authorization.k8s.io/v1beta1",
    2.   "kind": "SubjectAccessReview",
    3.   "spec": {
    4.     "nonResourceAttributes": {
    5.       "path": "/debug",
    6.       "verb": "get"
    7.     },
    9.     "group": [
    10.       "group1",
    11.       "group2"
    12.     ]
    13.   }

    Non-resource paths include: /api, /apis, /metrics, /logs, /debug, /healthz, /livez, /openapi/v2, /readyz, and /version. Clients require access to /api, /api/*, /apis, /apis/*, and to discover what resources and versions are present on the server. Access to other non-resource paths can be disallowed without restricting access to the REST api.

    For further documentation refer to the authorization.v1beta1 API objects and .