How Webhook Authorization Works
Learn how webhook authorization works in Kubernetes.
We'll cover the following...
Webhook authorization
The task during the authorization stage is to determine user privileges, in other words, if the user is allowed to perform the requested action. For example, the user Bob is trying to create a Pod. During the authorization stage, Kubernetes needs to verify if Bob is allowed to POST a Pod to the kube-apiserver.
Kubernetes bundles a group of authorization plugins as a union authorization chain, just as the code snippet below shows:
// Code from https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/authorization/union/union.go#L39-L69// New() returns an authorizer that authorizes against a chain of authorizer.Authorizer objectsfunc New(authorizationHandlers ...authorizer.Authorizer) authorizer.Authorizer {return unionAuthzHandler(authorizationHandlers)}// Authorizes against a chain of authorizer.Authorizer objects and returns nil if successful and returns error if unsuccessfulfunc (authzHandler unionAuthzHandler) Authorize(ctx context.Context, a authorizer.Attributes) (authorizer.Decision, string, error) {var (errlist []errorreasonlist []string)for _, currAuthzHandler := range authzHandler {decision, reason, err := currAuthzHandler.Authorize(ctx, a)if err != nil {errlist = append(errlist, err)}if len(reason) != 0 {reasonlist = append(reasonlist, reason)}switch decision {case authorizer.DecisionAllow, authorizer.DecisionDeny:return decision, reason, errcase authorizer.DecisionNoOpinion:// continue to the next authorizer}}return authorizer.DecisionNoOpinion, strings.Join(reasonlist, "\n"), utilerrors.NewAggregate(errlist)}
Each plugin implements a specific authorization method, such as Node, RBAC, ABAC, etc. Any authenticated requests will be presented to each authorization plugin one by one, until one of them can successfully determine user privileges on the requested resource. Here, the UserInfo obtained from the previous authentication stage is used for decision making.
Then, the authorization stage ...