ValidatingWebhookConfiguration: subject review on custom resource data
axel7083 opened this issue · comments
Keywords
ValidatingWebhookConfiguration, AdmissionReview
Problem
I defined a CRD which is namespaced. However it can have impact on other namespaces based on the configuration placed inside it.
How to ensure the creator of the ressource is allowed to access the other namespaces ?
Let's say a ServiceAccount is allowed to create this resource that can impact any namespace depending on the configuration. I want to prevent this service account to access certain namespace. Therefore inside the AdmissionWebhook I can intercept the configuration used, and would like to denied it, depending on the creator permissions.
AdmissionWebhook
I tried to use the admission. And thought I could maybe do a subject review of the authorization to know if it has the proper RBAC.
I am able to configure the AdmissionWebhook but using the following code:
@kopf.on.validate(...)
def authhook(logger: logging.Logger, headers: kopf.Headers, sslpeer: kopf.SSLPeer, warnings: List[str], **_):
logger.info(f'{headers=}')
logger.info(f'{sslpeer=}')
it gaves the result:
[2023-09-11 19:34:51,505] kopf.objects [INFO ] [default/global-secret] headers={'Host': '....:443', 'User-Agent': 'kube-apiserver-admission', 'Content-Length': '1697', 'Accept': 'application/json, */*', 'Content-Type': 'application/json', 'Accept-Encoding': 'gzip'}
[2023-09-11 19:34:51,505] kopf.objects [INFO ] [default/global-secret] sslpeer={}
It does not contains any information about the user creating the request.