diff --git a/_data/reference.yml b/_data/reference.yml index 1513ca464d..ef64c02ef2 100644 --- a/_data/reference.yml +++ b/_data/reference.yml @@ -18,6 +18,7 @@ toc: - docs/admin/authorization/index.md - docs/admin/authorization/abac.md - docs/admin/authorization/rbac.md + - docs/admin/authorization/webhook.md - docs/reference/deprecation-policy.md - title: API Reference diff --git a/docs/admin/authorization/webhook.md b/docs/admin/authorization/webhook.md new file mode 100644 index 0000000000..56d60e644d --- /dev/null +++ b/docs/admin/authorization/webhook.md @@ -0,0 +1,148 @@ +--- +assignees: +- erictune +- lavalamp +- deads2k +- liggitt +title: Webhook Mode +--- + +{% capture overview %} +A WebHook is an HTTP callback: an HTTP POST that occurs when something happens; a simple event-notification via HTTP POST. A web application implementing WebHooks will POST a message to a URL when certain things happen. +{% endcapture %} + +{% capture body %} +When specified, mode `Webhook` causes Kubernetes to query an outside REST +service when determining user privileges. + +## Configuration File Format + +Mode `Webhook` requires a file for HTTP configuration, specify by the +`--authorization-webhook-config-file=SOME_FILENAME` flag. + +The configuration file uses the [kubeconfig](/docs/concepts/cluster-administration/authenticate-across-clusters-kubeconfig/) +file format. Within the file "users" refers to the API Server webhook and +"clusters" refers to the remote service. + +A configuration example which uses HTTPS client auth: + +```yaml +# clusters refers to the remote service. +clusters: + - name: name-of-remote-authz-service + cluster: + certificate-authority: /path/to/ca.pem # CA for verifying the remote service. + server: https://authz.example.com/authorize # URL of remote service to query. Must use 'https'. + +# users refers to the API Server's webhook configuration. +users: + - name: name-of-api-server + user: + client-certificate: /path/to/cert.pem # cert for the webhook plugin to use + client-key: /path/to/key.pem # key matching the cert + +# kubeconfig files require a context. Provide one for the API Server. +current-context: webhook +contexts: +- context: + cluster: name-of-remote-authz-service + user: name-of-api-server + name: webhook +``` + +## Request Payloads + +When faced with an authorization decision, the API Server POSTs a JSON +serialized api.authorization.v1beta1.SubjectAccessReview object describing the +action. This object contains fields describing the user attempting to make the +request, and either details about the resource being accessed or requests +attributes. + +Note that webhook API objects are subject to the same [versioning compatibility rules](/docs/api/) +as other Kubernetes API objects. Implementers should be aware of looser +compatibility promises for beta objects and check the "apiVersion" field of the +request to ensure correct deserialization. Additionally, the API Server must +enable the `authorization.k8s.io/v1beta1` API extensions group (`--runtime-config=authorization.k8s.io/v1beta1=true`). + +An example request body: + +```json +{ + "apiVersion": "authorization.k8s.io/v1beta1", + "kind": "SubjectAccessReview", + "spec": { + "resourceAttributes": { + "namespace": "kittensandponies", + "verb": "get", + "group": "unicorn.example.org", + "resource": "pods" + }, + "user": "jane", + "group": [ + "group1", + "group2" + ] + } +} +``` + +The remote service is expected to fill the SubjectAccessReviewStatus field of +the request and respond to either allow or disallow access. The response body's +"spec" field is ignored and may be omitted. A permissive response would return: + +```json +{ + "apiVersion": "authorization.k8s.io/v1beta1", + "kind": "SubjectAccessReview", + "status": { + "allowed": true + } +} +``` + +To disallow access, the remote service would return: + +```json +{ + "apiVersion": "authorization.k8s.io/v1beta1", + "kind": "SubjectAccessReview", + "status": { + "allowed": false, + "reason": "user does not have read access to the namespace" + } +} +``` + +Access to non-resource paths are sent as: + +```json +{ + "apiVersion": "authorization.k8s.io/v1beta1", + "kind": "SubjectAccessReview", + "spec": { + "nonResourceAttributes": { + "path": "/debug", + "verb": "get" + }, + "user": "jane", + "group": [ + "group1", + "group2" + ] + } +} +``` + +Non-resource paths include: `/api`, `/apis`, `/metrics`, `/resetMetrics`, +`/logs`, `/debug`, `/healthz`, `/swagger-ui/`, `/swaggerapi/`, `/ui`, and +`/version.` Clients require access to `/api`, `/api/*`, `/apis`, `/apis/*`, +and `/version` to discover what resources and versions are present on the server. +Access to other non-resource paths can be disallowed without restricting access +to the REST api. + +For further documentation refer to the authorization.v1beta1 API objects and +plugin/pkg/auth/authorizer/webhook/webhook.go. + +{% endcapture %} + +{% include templates/concept.md %} \ No newline at end of file