Search⌘ K
Home
Courses
Programming with Kubernetes

How Webhook Authorization Works

Learn how webhook authorization works in Kubernetes.

We'll cover the following...

Webhook authorization

The task during the authorization stage is to determine user privileges, in other words, if the user is allowed to perform the requested action. For example, the user Bob is trying to create a Pod. During the authorization stage, Kubernetes needs to verify if Bob is allowed to POST a Pod to the kube-apiserver.

Kubernetes bundles a group of authorization plugins as a union authorization chain, just as the code snippet below shows:

Go (1.16.5)
// Code from https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/authorization/union/union.go#L39-L69
// New() returns an authorizer that authorizes against a chain of authorizer.Authorizer objects
func New(authorizationHandlers ...authorizer.Authorizer) authorizer.Authorizer {
	return unionAuthzHandler(authorizationHandlers)
}
// Authorizes against a chain of authorizer.Authorizer objects and returns nil if successful and returns error if unsuccessful
func (authzHandler unionAuthzHandler) Authorize(ctx context.Context, a authorizer.Attributes) (authorizer.Decision, string, error) {
	var (
		errlist    []error
		reasonlist []string
	)
	for _, currAuthzHandler := range authzHandler {
		decision, reason, err := currAuthzHandler.Authorize(ctx, a)
		if err != nil {
			errlist = append(errlist, err)
		}
		if len(reason) != 0 {
			reasonlist = append(reasonlist, reason)
		}
		switch decision {
		case authorizer.DecisionAllow, authorizer.DecisionDeny:
			return decision, reason, err
		case authorizer.DecisionNoOpinion:
			// continue to the next authorizer
		}
	}
	return authorizer.DecisionNoOpinion, strings.Join(reasonlist, "\n"), utilerrors.NewAggregate(errlist)
}

Each plugin implements a specific authorization method, such as Node, RBAC, ABAC, etc. Any authenticated requests will be presented to each authorization plugin one by one, until one of them can successfully determine user privileges on the requested resource. Here, the UserInfo obtained from the previous authentication stage is used for decision making.

Then, the authorization stage finishes and the request proceeds to ...