Giters

nolar / kopf

A Python framework to write Kubernetes operators in just a few lines of code

Home Page:https://kopf.readthedocs.io/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

ValidatingWebhookConfiguration: subject review on custom resource data

axel7083 opened this issue · comments

commented

Keywords

ValidatingWebhookConfiguration, AdmissionReview

Problem

I defined a CRD which is namespaced. However it can have impact on other namespaces based on the configuration placed inside it.

How to ensure the creator of the ressource is allowed to access the other namespaces ?

Let's say a ServiceAccount is allowed to create this resource that can impact any namespace depending on the configuration. I want to prevent this service account to access certain namespace. Therefore inside the AdmissionWebhook I can intercept the configuration used, and would like to denied it, depending on the creator permissions.

AdmissionWebhook

I tried to use the admission. And thought I could maybe do a subject review of the authorization to know if it has the proper RBAC.

I am able to configure the AdmissionWebhook but using the following code:

@kopf.on.validate(...)
def authhook(logger: logging.Logger, headers: kopf.Headers, sslpeer: kopf.SSLPeer, warnings: List[str], **_):
    logger.info(f'{headers=}')
    logger.info(f'{sslpeer=}')

it gaves the result:

[2023-09-11 19:34:51,505] kopf.objects         [INFO    ] [default/global-secret] headers={'Host': '....:443', 'User-Agent': 'kube-apiserver-admission', 'Content-Length': '1697', 'Accept': 'application/json, */*', 'Content-Type': 'application/json', 'Accept-Encoding': 'gzip'}
[2023-09-11 19:34:51,505] kopf.objects         [INFO    ] [default/global-secret] sslpeer={}

It does not contains any information about the user creating the request.