mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-09-22 02:18:51 +00:00
Switch kubelet/aggregated API servers to use v1 subjectaccessreviews
This commit is contained in:
@@ -46,6 +46,8 @@ type Config struct {
|
||||
|
||||
// Kubeconfig file for Webhook authorization plugin.
|
||||
WebhookConfigFile string
|
||||
// API version of subject access reviews to send to the webhook (e.g. "v1", "v1beta1")
|
||||
WebhookVersion string
|
||||
// TTL for caching of authorized responses from the webhook server.
|
||||
WebhookCacheAuthorizedTTL time.Duration
|
||||
// TTL for caching of unauthorized responses from the webhook server.
|
||||
@@ -98,6 +100,7 @@ func (config Config) New() (authorizer.Authorizer, authorizer.RuleResolver, erro
|
||||
ruleResolvers = append(ruleResolvers, abacAuthorizer)
|
||||
case modes.ModeWebhook:
|
||||
webhookAuthorizer, err := webhook.New(config.WebhookConfigFile,
|
||||
config.WebhookVersion,
|
||||
config.WebhookCacheAuthorizedTTL,
|
||||
config.WebhookCacheUnauthorizedTTL)
|
||||
if err != nil {
|
||||
|
@@ -33,6 +33,7 @@ type BuiltInAuthorizationOptions struct {
|
||||
Modes []string
|
||||
PolicyFile string
|
||||
WebhookConfigFile string
|
||||
WebhookVersion string
|
||||
WebhookCacheAuthorizedTTL time.Duration
|
||||
WebhookCacheUnauthorizedTTL time.Duration
|
||||
}
|
||||
@@ -40,6 +41,7 @@ type BuiltInAuthorizationOptions struct {
|
||||
func NewBuiltInAuthorizationOptions() *BuiltInAuthorizationOptions {
|
||||
return &BuiltInAuthorizationOptions{
|
||||
Modes: []string{authzmodes.ModeAlwaysAllow},
|
||||
WebhookVersion: "v1beta1",
|
||||
WebhookCacheAuthorizedTTL: 5 * time.Minute,
|
||||
WebhookCacheUnauthorizedTTL: 30 * time.Second,
|
||||
}
|
||||
@@ -99,6 +101,9 @@ func (s *BuiltInAuthorizationOptions) AddFlags(fs *pflag.FlagSet) {
|
||||
"File with webhook configuration in kubeconfig format, used with --authorization-mode=Webhook. "+
|
||||
"The API server will query the remote service to determine access on the API server's secure port.")
|
||||
|
||||
fs.StringVar(&s.WebhookVersion, "authorization-webhook-version", s.WebhookVersion, ""+
|
||||
"The API version of the authorization.k8s.io SubjectAccessReview to send to and expect from the webhook.")
|
||||
|
||||
fs.DurationVar(&s.WebhookCacheAuthorizedTTL, "authorization-webhook-cache-authorized-ttl",
|
||||
s.WebhookCacheAuthorizedTTL,
|
||||
"The duration to cache 'authorized' responses from the webhook authorizer.")
|
||||
|
Reference in New Issue
Block a user