是否可以使用与 apiserver 请求关联的 "extra" 属性来通过 RBAC 做出授权决定?
Is it possible to use the "extra" attribute associated to an apiserver request to make authorisation decisions with RBAC?
当客户端向 apiserver 进行身份验证时,attributes are associated with the request 的数量。这些属性包括一个 "extra" 属性,它只是字符串到字符串列表的映射。
授权插件可以查看这些属性来做出授权决定。 RBAC 授权插件是否支持查看这些 "extra" 属性?
来自 source code 的额外属性的简要描述表明:
// GetExtra can contain any additional information that the authenticator
// thought was interesting. One example would be scopes on a token.
// Keys in this map should be namespaced to the authenticator or
// authenticator/authorizer pair making use of them.
// For instance: "example.org/foo" instead of "foo"
// This is a map[string][]string because it needs to be serializeable into
// a SubjectAccessReviewSpec.authorization.k8s.io for proper authorization
// delegation flows
// In order to faithfully round-trip through an impersonation flow, these keys
// MUST be lowercase.
GetExtra() map[string][]string
}
func (i *DefaultInfo) GetExtra() map[string][]string {
return i.Extra
}
阅读代码后,我没有找到对额外属性的任何引用。
看起来额外的属性目前没有在 RBAC 插件中使用,但可以在 Webhook authorization mode.
中使用
当客户端向 apiserver 进行身份验证时,attributes are associated with the request 的数量。这些属性包括一个 "extra" 属性,它只是字符串到字符串列表的映射。
授权插件可以查看这些属性来做出授权决定。 RBAC 授权插件是否支持查看这些 "extra" 属性?
来自 source code 的额外属性的简要描述表明:
// GetExtra can contain any additional information that the authenticator
// thought was interesting. One example would be scopes on a token.
// Keys in this map should be namespaced to the authenticator or
// authenticator/authorizer pair making use of them.
// For instance: "example.org/foo" instead of "foo"
// This is a map[string][]string because it needs to be serializeable into
// a SubjectAccessReviewSpec.authorization.k8s.io for proper authorization
// delegation flows
// In order to faithfully round-trip through an impersonation flow, these keys
// MUST be lowercase.
GetExtra() map[string][]string
}
func (i *DefaultInfo) GetExtra() map[string][]string {
return i.Extra
}
阅读代码后,我没有找到对额外属性的任何引用。
看起来额外的属性目前没有在 RBAC 插件中使用,但可以在 Webhook authorization mode.