feat(ISSUE-1434): poc authorizer webhook for resource owners #1695
Conversation
…dePort On-behalf-of: @SAP [email protected]
…CoreDNS, use ClusterIP service for authz On-behalf-of: @SAP [email protected]
…ned-by label; add serviceaccount with rbac to authz On-behalf-of: @SAP [email protected]
…olv.conf and use NodePort service with loopback IP instead On-behalf-of: @SAP [email protected]
cmd/authz/main.go
Outdated
| scheme := runtime.NewScheme() | ||
| utilruntime.Must(clientgoscheme.AddToScheme(scheme)) | ||
| utilruntime.Must(greenhousev1alpha1.AddToScheme(scheme)) | ||
| utilruntime.Must(greenhousev1alpha2.AddToScheme(scheme)) |
There was a problem hiding this comment.
you can move this to init function and do it like this -
var (
scheme = runtime.NewScheme()
setupLog = ctrl.Log.WithName("setup")
)
func init() {
utilruntime.Must(clientgoscheme.AddToScheme(scheme))
utilruntime.Must(greenhousev1alpha1.AddToScheme(scheme))
utilruntime.Must(greenhousev1alpha2.AddToScheme(scheme))
}
cmd/authz/main.go
Outdated
| handleError(err, "Failed to create manager") | ||
|
|
||
| // Register the authorizer webhook. | ||
| dynClient, err := dynamic.NewForConfig(mgr.GetConfig()) |
There was a problem hiding this comment.
can we not use mgr.GetClient() instead?
There was a problem hiding this comment.
I could use the typed client, but then I also need to use the meta.RESTMapper to get the Kind from the SubjectAccessReview, because it's not there by default. And we still need to operate on the Unstructured object, because it can be any of the Greenhouse CRDs.
gvr := schema.GroupVersionResource{ Group: attrs.Group, Version: attrs.Version, Resource: attrs.Resource, } gvk, err := mapper.KindFor(gvr) obj := &unstructured.Unstructured{} obj.SetGroupVersionKind(gvk) key := types.NamespacedName{Namespace: attrs.Namespace, Name: attrs.Name} client.Get(ctx, key, obj)
Is this solution better than the dynamic client?
|
e2e's are not working, was anything changed? |
…fix lint suggestions On-behalf-of: @SAP [email protected]
On-behalf-of: @SAP [email protected]
On-behalf-of: @SAP [email protected]
Description
This PR adds the Authorization Webhook in the authz chart and configures it in the local kind cluster setup. It uses NodePort service for the local setup. The authorizer is triggered after RBAC and only for greenhouse resources requests (see matchConditions in
dev-env/webhook/structured-authz.yaml). Authorizer certificates generation is added into the setup-manager make target; mTLS is used for communication between kube-apiserver and authorization webhook.What type of PR is this? (check all applicable)
Related Tickets & Documents
Added tests?
Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration
Added to documentation?
Checklist