Skip to content

Commit 049643c

Browse files
palnabarunpalnabarun
committed
Address review comments
Signed-off-by: Nabarun Pal <[email protected]>
1 parent 801367c commit 049643c

File tree

1 file changed

+10
-11
lines changed
  • keps/sig-auth/3221-structured-authorization-configuration

1 file changed

+10
-11
lines changed

keps/sig-auth/3221-structured-authorization-configuration/README.md

Lines changed: 10 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -114,7 +114,8 @@ Add a configuration format having specific precedence order and defined failure
114114
apiVersion: apiserver.config.k8s.io/v1alpha1
115115
kind: AuthorizationConfiguration
116116
authorizers:
117-
- type: Webhook
117+
- name: system-webhook
118+
type: Webhook
118119
webhook:
119120
unauthorizedTTL: 30s
120121
timeout: 3s
@@ -132,7 +133,8 @@ authorizers:
132133
- expression: !('system:serviceaccounts:kube-system' in request.user.groups)
133134
- type: Node
134135
- type: RBAC
135-
- type: Webhook
136+
- name: internal
137+
type: Webhook
136138
webhook:
137139
authorizedTTL: 5m
138140
unauthorizedTTL: 30s
@@ -212,7 +214,8 @@ The below example is only for demonstration purposes.
212214
apiVersion: apiserver.config.k8s.io/v1alpha1
213215
kind: AuthorizationConfiguration
214216
authorizers:
215-
- type: Webhook
217+
- name: system-webhook
218+
type: Webhook
216219
webhook:
217220
unauthorizedTTL: 30s
218221
timeout: 3s
@@ -230,7 +233,8 @@ authorizers:
230233
- expression: !('system:serviceaccounts:kube-system' in request.user.groups)
231234
- type: Node
232235
- type: RBAC
233-
- type: Webhook
236+
- name: opa
237+
type: Webhook
234238
webhook:
235239
unauthorizedTTL: 30s
236240
timeout: 3s
@@ -332,10 +336,8 @@ authorizers:
332336
# Name used to describe the webhook
333337
# This is explicitly used in monitoring machinery for metrics
334338
# Note:
335-
# - If not specified, the default would be set to ""
336-
# - If there are multiple webhooks in the authorizer chain,
337-
# this field is required
338339
# - Validation for this field is similar to how K8s labels are validated today.
340+
# Required, with no default
339341
name: super-important-kube-system-authorizer
340342
# The duration to cache 'authorized' responses from the webhook
341343
# authorizer.
@@ -454,10 +456,7 @@ Labels {along with possible values}:
454456
- `mode` {<authorizer_name>} # when authorizer is a webhook, prepend `webhook_`
455457
- `decision` {Allow, Deny}
456458

457-
**Note:** Some examples of <authorizer_name>: `RBAC`, `Node`, `ABAC`, `webhook{,_<name>}`.
458-
If there is only one webhook and no name specified, there would be no `_<name>` suffix.
459-
If the webhook has a name specified, even if there is only one webhook, then the name
460-
would be in the metrics and exposed via the metrics endpoint.
459+
**Note:** Some examples of <authorizer_name>: `RBAC`, `Node`, `ABAC`, `webhook_<name>`.
461460

462461
2. `apiserver_authorization_webhook_evaluations_total`
463462

0 commit comments

Comments
 (0)