Open EdwardCooke opened 2 days ago
Unfortunately Gatekeeper does not currently provide an authorization webhook.
Not exactly what you asked for, but take a look at https://kubernetes.io/blog/2024/04/26/multi-webhook-and-modular-authorization-made-much-easier/
conditions for invocation with CEL rules to pre-filter requests before they are dispatched to webhooks, helping you prevent unnecessary invocations.
That’s what I use. Along with the GitHub issue I opened due to incorrect documentation on that and all the other pages for using that method.
Right now I have it calling opa directly was hoping for something with gatekeeper.
Thanks @maxsmythe that answers my question. I’ll continue with the setup I have then and revisit it later.
Describe the solution you'd like Right now I'm using kube-mgmt/opa to expose an endpoint for use as a Kubernetes API Authorization webhook. For example, my api authentication webhook calls
https://opa-opa-kube-mgmt.opa-auth-system.svc.cluster.local:8181/v0/data/k8sallow/allow
.That policy is set using a config map that kube-mgmt injects into OPA.
Can I do the same using gatekeeper? And if so, how? I looked over the documentation and couldn't find a way of doing this.
Anything else you would like to add: I'm using the latest kube-mgmt with the latest opa image.
Here's the policies I use kube-mgmt to inject into opa:
Another policy that would fit into gatekeeper I think pretty well.
Environment:
kubectl version
):