在使用 Kubernetes Admission Controllers ValidatingWebhookConfiguration时,我想跳过对Kubernetes Controllers等内部请求的拦截。
更具体地说,我希望验证 webhook 匹配的唯一请求是用户通过 Kubctl/API 等的请求。
可能吗?
问问题
58 次
1 回答
1
根据Webhook 请求和响应,您的 Webhook 将收到一个包含UserInfo字段的AdmissionRequest对象。在其中,有诸如和其他可能对解决您的问题有用的字段。UsernameGroups
...
"userInfo": {
# Username of the authenticated user making the request to the API server
"username": "admin",
# UID of the authenticated user making the request to the API server
"uid": "014fbff9a07c",
# Group memberships of the authenticated user making the request to the API server
"groups": ["system:authenticated","my-admin-group"],
# Arbitrary extra info associated with the user making the request to the API server.
# This is populated by the API server authentication layer and should be included
# if any SubjectAccessReview checks are performed by the webhook.
"extra": {
"some-key":["some-value1", "some-value2"]
}
},
...
于 2021-10-19T08:45:30.107 回答