Search⌘ K
AI Features
Home
Courses
Programming with Kubernetes

How Webhook Authorization Works

Explore how Kubernetes handles user authorization through webhook plugins. Understand the configuration of authorization webhooks, how they validate user actions via HTTP callbacks, and how to customize secure access control based on your cluster's needs.

We'll cover the following...

Webhook authorization

The task during the authorization stage is to determine user privileges, in other words, if the user is allowed to perform the requested action. For example, the user Bob is trying to create a Pod. During the authorization stage, Kubernetes needs to verify if Bob is allowed to POST a Pod to the kube-apiserver.

Kubernetes bundles a group of authorization plugins as a union authorization chain, just as the code snippet below shows:

Go (1.16.5)
// Code from https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/authorization/union/union.go#L39-L69
// New() returns an authorizer that authorizes against a chain of authorizer.Authorizer objects
func New(authorizationHandlers ...authorizer.Authorizer) authorizer.Authorizer {
	return unionAuthzHandler(authorizationHandlers)
}
// Authorizes against a chain of authorizer.Authorizer objects and returns nil if successful and returns error if unsuccessful
func (authzHandler unionAuthzHandler) Authorize(ctx context.Context, a authorizer.Attributes) (authorizer.Decision, string, error) {
	var (
		errlist    []error
		reasonlist []string
	)
	for _, currAuthzHandler := range authzHandler {
		decision, reason, err := currAuthzHandler.Authorize(ctx, a)
		if err != nil {
			errlist = append(errlist, err)
		}
		if len(reason) != 0 {
			reasonlist = append(reasonlist, reason)
		}
		switch decision {
		case authorizer.DecisionAllow, authorizer.DecisionDeny:
			return decision, reason, err
		case authorizer.DecisionNoOpinion:
			// continue to the next authorizer
		}
	}
	return authorizer.DecisionNoOpinion, strings.Join(reasonlist, "\n"), utilerrors.NewAggregate(errlist)
}

Each plugin implements a specific authorization method, such as Node, RBAC, ABAC, etc. Any authenticated requests will be presented to each authorization plugin one by one, until one of them can successfully determine user privileges on the requested resource. Here, the UserInfo obtained from the previous authentication stage is used for decision making.

Then, the authorization stage finishes and the request proceeds to ...