gatekeeper icon indicating copy to clipboard operation
gatekeeper copied to clipboard

Published 20 hours ago verified publisher icon open-policy-agent

Why does gatekeeper implement admission webhook but not authorization webhook?

Open answer1991 opened this issue 4 years ago • 9 comments

I want an authorization webhook using OPA rules and engine. But for now, I found gatekeeper implement admission webhook but not authorization webhook.

Then I need implement authorization webhook by myself? Is there a plan to implement authorization webhook or any reasons we do not need an authorization webhook?

answer1991 avatar Apr 15 '20 15:04 answer1991

Without knowing what you are planning on doing, I can't speak to whether you need an authorization webhook or not.

However, hosting an on-cluster authorization webhook is generally discouraged due to the self-management problem it creates. This is doubly true for Gatekeeper, which relies on the API server for its configuration.

That being said, the Constraint Framework could be adapted in a separate project to work as an authorization webhook. It could use constraints and templates (that rely on a different set of data, b/c authorization webhook calls have a different protocol), but it would have a very different deployment and operationalization model than GK itself does.

maxsmythe avatar Apr 15 '20 22:04 maxsmythe

@maxsmythe

Thanks for the reply. I'm trying to use an OPA authorization webhook to replace RBAC/ABAC to replace Kubernetes authorization management.

Is there a plan to refactor Constraint Framework and start a new project to implement authorization webhook rather than GK?

answer1991 avatar Apr 17 '20 17:04 answer1991

Shouldn't require a refactoring, as Constraint Framework is pluggable, but I'm not aware of any plans to write an authorization webhook using the CF.

maxsmythe avatar Apr 18 '20 02:04 maxsmythe

Looking for the same as @answer1991 I found Gatekeeper implemented Authorization webhook mode in past.

  • Original issue: https://github.com/open-policy-agent/gatekeeper/issues/22
  • Implementation: https://github.com/open-policy-agent/gatekeeper/pull/28/files
  • Similar issue with explanation: https://github.com/open-policy-agent/gatekeeper/issues/464

Lirt avatar Sep 14 '20 13:09 Lirt

This could be helpful in certain cases where RBAC isn't expressive enough. One example is a policy that allows certain users to view Secrets in ALL namespaces except one. Right now this can only be handled with a custom controller that adds per-ns RBAC rules, but it could be expressed more cleanly in Rego.

rosskusler avatar Mar 15 '21 05:03 rosskusler

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jul 23 '22 08:07 stale[bot]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Oct 11 '22 02:10 stale[bot]

@ritazh mentioned this not too long ago

maxsmythe avatar Oct 27 '22 01:10 maxsmythe

This could be helpful in certain cases where RBAC isn't expressive enough. One example is a policy that allows certain users to view Secrets in ALL namespaces except one. Right now this can only be handled with a custom controller that adds per-ns RBAC rules, but it could be expressed more cleanly in Rego.

@rosskusler - We're actually going through something like this now. We planned on creating the controller as described above, but was unsure if anyone came up with a better solution. Any pointers?

nxf5025 avatar Mar 22 '23 21:03 nxf5025