kubernetes - 多个 Kubernetes 授权模块依次检查，怎么做？

Question

来自 Kubernetes documentation on authorization它指出:

When multiple authorization modules are configured, each is checked in sequence. If any authorizer approves or denies a request, that decision is immediately returned and no other authorizer is consulted. If all modules have no opinion on the request, then the request is denied. A deny returns an HTTP status code 403.

我现在正在编写一个用于授权的自定义 webhook，并且我希望在少数情况下逻辑回退到 RBAC - 即让我的 webhook 以文档中所说的“无意见”作为响应。然而，该文档仅详细说明了如何批准或拒绝请求，并且没有回到这对于按顺序检查多个授权模块似乎必不可少的第三个选项。在我的 webhook 上下文中，我如何最好地回复“我对此请求没有意见，请将其传递给下一个授权人”？

Answer 1

尚不清楚AuthorizationModule来自 kubernetes 官方文档的工作。

所以我检查了 apiserver 的源代码，它创建了一个组合 authorizer.Authorizer通过 union.New(authorizers...) , 来自 union来源我找到了答案:

The union authorizer iterates over each subauthorizer and returns the first decision that is either an Allow decision or a Deny decision. If a subauthorizer returns a NoOpinion, then the union authorizer moves onto the next authorizer or, if the subauthorizer was the last authorizer, returns NoOpinion as the aggregate decision

更多详情请访问 k8s.io/apiserver/pkg/authorization/union :

func (authzHandler unionAuthzHandler) Authorize(a authorizer.Attributes) (authorizer.Decision, string, error) {
    var (
        errlist    []error
        reasonlist []string
    )

    for _, currAuthzHandler := range authzHandler {
        decision, reason, err := currAuthzHandler.Authorize(a)

        if err != nil {
            errlist = append(errlist, err)
        }
        if len(reason) != 0 {
            reasonlist = append(reasonlist, reason)
        }
        switch decision {
        case authorizer.DecisionAllow, authorizer.DecisionDeny:
            return decision, reason, err
        case authorizer.DecisionNoOpinion:
            // continue to the next authorizer
        }
    }

    return authorizer.DecisionNoOpinion, strings.Join(reasonlist, "\n"), utilerrors.NewAggregate(errlist)
}

因此，如果您想创建自定义 webhook AuthozitaionModule，如果您想将决定传递给下一个授权者，只需给出如下许可响应:

{
  "apiVersion": "authorization.k8s.io/v1beta1",
  "kind": "SubjectAccessReview",
  "status": {
    "reason": "no decision",
    "allowed": false,
    "denied": false
  }
}

那么apiserver can make a decision by this reponse :

    switch {
    case r.Status.Denied && r.Status.Allowed:
        return authorizer.DecisionDeny, r.Status.Reason, fmt.Errorf("webhook subject access review returned both allow and deny response")
    case r.Status.Denied:
        return authorizer.DecisionDeny, r.Status.Reason, nil
    case r.Status.Allowed:
        return authorizer.DecisionAllow, r.Status.Reason, nil
    default:
        return authorizer.DecisionNoOpinion, r.Status.Reason, nil
    }