Search⌘ K
Home
Courses
Programming with Kubernetes

How Webhook Token Authentication Works

Explore how Kubernetes authenticates users using webhook token authentication. Understand the configuration flags, how tokens are verified remotely via HTTP, and how this method integrates with your own user-management systems to secure your cluster.

We'll cover the following...

Webhook token authentication

The task during the authentication stage is to identify if a request comes from a legitimate user and to reject all the other requests that don’t.

Kubernetes bundles a group of authentication plugins as a union authentication chain, as shown in the code snippet below:

Go (1.16.5)
// Code from https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/authentication/request/union/union.go#L34-L71
// New() returns a request authenticator that validates credentials using a chain of authenticator.Request objects.
// The entire chain is tried until one succeeds. If all fail, an aggregate error is returned.
func New(authRequestHandlers ...authenticator.Request) authenticator.Request {
	if len(authRequestHandlers) == 1 {
		return authRequestHandlers[0]
	}
	return &unionAuthRequestHandler{Handlers: authRequestHandlers, FailOnError: false}
}
// NewFailOnError() returns a request authenticator that validates credentials using a chain of authenticator.Request objects.
// The first error short-circuits the chain.
func NewFailOnError(authRequestHandlers ...authenticator.Request) authenticator.Request {
	if len(authRequestHandlers) == 1 {
		return authRequestHandlers[0]
	}
	return &unionAuthRequestHandler{Handlers: authRequestHandlers, FailOnError: true}
}
// AuthenticateRequest authenticates the request using a chain of authenticator.Request objects.
func (authHandler *unionAuthRequestHandler) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error) {
	var errlist []error
	for _, currAuthRequestHandler := range authHandler.Handlers {
		resp, ok, err := currAuthRequestHandler.AuthenticateRequest(req)
		if err != nil {
			if authHandler.FailOnError {
				return resp, ok, err
			}
			errlist = append(errlist, err)
			continue
		}
		if ok {
			return resp, ok, err
		}
	}
	return nil, false, utilerrors.NewAggregate(errlist)
}

Each plugin implements a specific authentication method. The incoming requests will be presented to each plugin one by one, until one of them can successfully verify the user identity. Then, the authentication stage finishes and the request proceeds to the subsequent authorization stage. If none of the authentication plugins can verify the user ...