0

在使用 Kubernetes Admission Controllers ValidatingWebhookConfiguration时,我想跳过对Kubernetes Controllers等内部请求的拦截。

更具体地说,我希望验证 webhook 匹配的唯一请求是用户通过 Kubctl/API 等的请求。

可能吗?

4

1 回答 1

1

根据Webhook 请求和响应,您的 Webhook 将收到一个包含UserInfo字段的AdmissionRequest对象。在其中,有诸如和其他可能对解决您的问题有用的字段。UsernameGroups

...
    "userInfo": {
      # Username of the authenticated user making the request to the API server
      "username": "admin",
      # UID of the authenticated user making the request to the API server
      "uid": "014fbff9a07c",
      # Group memberships of the authenticated user making the request to the API server
      "groups": ["system:authenticated","my-admin-group"],
      # Arbitrary extra info associated with the user making the request to the API server.
      # This is populated by the API server authentication layer and should be included
      # if any SubjectAccessReview checks are performed by the webhook.
      "extra": {
        "some-key":["some-value1", "some-value2"]
      }
    },
...
于 2021-10-19T08:45:30.107 回答