从Kubernetes documentation on authorization声明:
我现在正在编写一个用于授权的自定义Webhook,在某些情况下,我希望逻辑回落到RBAC-即让我的Webhook对文档中的“无意见”做出回应。但是,文档仅详细说明了如何批准或拒绝请求,并且没有涉及到第三个选项,这对于顺序检查多个授权模块而言似乎至关重要。在Webhook的背景下,我如何最好地回应“我对此请求没有意见,请将其传递给下一个授权者”?
最佳答案
目前尚不清楚kubernetes官方文档中的多个AuthorizationModule如何工作。
所以我检查了apiserver的源代码,它通过authorizer.Authorizer创建了一个union.New(authorizers...)组合,从union源中找到答案:
在k8s.io/apiserver/pkg/authorization/union上有更多详细信息:
func (authzHandler unionAuthzHandler) Authorize(a authorizer.Attributes) (authorizer.Decision, string, error) {
var (
errlist []error
reasonlist []string
)
for _, currAuthzHandler := range authzHandler {
decision, reason, err := currAuthzHandler.Authorize(a)
if err != nil {
errlist = append(errlist, err)
}
if len(reason) != 0 {
reasonlist = append(reasonlist, reason)
}
switch decision {
case authorizer.DecisionAllow, authorizer.DecisionDeny:
return decision, reason, err
case authorizer.DecisionNoOpinion:
// continue to the next authorizer
}
}
return authorizer.DecisionNoOpinion, strings.Join(reasonlist, "\n"), utilerrors.NewAggregate(errlist)
}
因此,如果您要创建自定义的Webhook AuthozitaionModule,并且要将决策传递给下一个授权者,则只需给出以下允许的响应即可:
{
"apiVersion": "authorization.k8s.io/v1beta1",
"kind": "SubjectAccessReview",
"status": {
"reason": "no decision",
"allowed": false,
"denied": false
}
}
然后apiserver can make a decision by this reponse:
switch {
case r.Status.Denied && r.Status.Allowed:
return authorizer.DecisionDeny, r.Status.Reason, fmt.Errorf("webhook subject access review returned both allow and deny response")
case r.Status.Denied:
return authorizer.DecisionDeny, r.Status.Reason, nil
case r.Status.Allowed:
return authorizer.DecisionAllow, r.Status.Reason, nil
default:
return authorizer.DecisionNoOpinion, r.Status.Reason, nil
}
关于kubernetes - 依次检查多个Kubernetes授权模块,如何?,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/57248927/