0

When using Kubernetes Admission Controllers ValidatingWebhookConfiguration, I'd like to skip the interception of internal requests such as Kubernetes Controllers.

More specifically, the only requests that I want the validation webhook to match are users' requests via the Kubctl/API, etc.

Is it possible?

tomikos
  • 51
  • 2

1 Answers1

1

According to Webhook request and response your webhook will receive an AdmissionRequest object which contains UserInfo field. In it, there are fields like Username, Groups and others that might be useful for solving your problem.

...
    "userInfo": {
      # Username of the authenticated user making the request to the API server
      "username": "admin",
      # UID of the authenticated user making the request to the API server
      "uid": "014fbff9a07c",
      # Group memberships of the authenticated user making the request to the API server
      "groups": ["system:authenticated","my-admin-group"],
      # Arbitrary extra info associated with the user making the request to the API server.
      # This is populated by the API server authentication layer and should be included
      # if any SubjectAccessReview checks are performed by the webhook.
      "extra": {
        "some-key":["some-value1", "some-value2"]
      }
    },
...
Vüsal
  • 2,580
  • 1
  • 12
  • 31
  • Yes I am aware of this. but unfortunately, it doesn't really help here because I want to skip those requests completely, without passing them through the webhook. Something similar to the objectSelector – tomikos Oct 19 '21 at 19:10
  • A person using `kubectl` or a k8s controller acting on some resources are using the same Rest API (API server) to do what they need. API server has no way to distinguish requests sent from controllers or via `kubectl` - essentially, you can emulate the same request from both. Because of that - I doubt there is a way to do it like you described. I guess it would be more helpful if you describe what exactly you want to achieve by this - maybe someone will provide a better approach? – Vüsal Oct 20 '21 at 05:53
  • I just want the webbook to only intercept users' requests for policy control. Requests from controllers are system requests so I don't want to governance any of them. One way to exclude controller requests would be skipping them once they reached the webhook server, but this just put an unneeded overhead on the server. I still think it would be very useful to distinguish between system requests and users'. – tomikos Oct 21 '21 at 14:37
  • I understand what you mean - but I think there is no way to do what you what in k8s. It just doesn't have that functionality. – Vüsal Oct 21 '21 at 21:51