Webhook Authorization in Kubernetes

Required knowledge for the CKS certification.

What is Webhook Authorization?

Webhook Authorization allows Kubernetes to delegate authorization decisions to an external service via a webhook. It is ideal for custom authorization scenarios that go beyond the capabilities of RBAC and Node Authorization.

How Does Webhook Authorization Work?

Request Handling: When a request is made to the API server, it is sent to the Webhook service.
Decision Making: The Webhook service evaluates the request against custom policies.
Response: The service returns an ALLOW or DENY decision to the API server.

Enabling Webhook Authorization

To enable Webhook Authorization, configure the API server with the appropriate flags:

kube-apiserver \
  --authorization-mode=Webhook,RBAC \
  --authorization-webhook-config-file=/etc/kubernetes/webhook-config.yaml

Example Webhook Configuration

apiVersion: v1
kind: Config
clusters:
  - name: webhook-authz
    cluster:
      server: https://authz.example.com/authorize
      certificate-authority: /path/to/ca.crt
users:
  - name: webhook-authz
contexts:
  - name: webhook-authz
    context:
      cluster: webhook-authz
      user: webhook-authz
current-context: webhook-authz

Webhook Authorization Request and Response

Request Example

The API server sends a JSON request to the webhook service:

{
  "apiVersion": "authorization.k8s.io/v1",
  "kind": "SubjectAccessReview",
  "spec": {
    "user": "jane.doe",
    "groups": ["dev-team"],
    "resourceAttributes": {
      "namespace": "default",
      "verb": "get",
      "resource": "pods"
    }
  }
}

Response Example

The webhook service returns ALLOW or DENY:

{
  "apiVersion": "authorization.k8s.io/v1",
  "kind": "SubjectAccessReview",
  "status": {
    "allowed": true,
    "reason": "User is authorized to get pods in the default namespace"
  }
}

Best Practices for Webhook Authorization

Secure Webhook Communication: Use HTTPS with mutual TLS to secure communications between the API server and the Webhook service.
Implement High Availability: Ensure the Webhook service is highly available to avoid authorization disruptions.
Timeouts and Failures: Configure timeouts and failure policies to handle webhook unavailability gracefully.

failurePolicy: Ignore
timeoutSeconds: 5

Logging and Auditing: Enable logging on the Webhook service to audit authorization decisions.

When to Use Webhook Authorization

When RBAC and ABAC do not meet specific authorization requirements.
To integrate external systems with custom business logic.
When using dynamic policies that need to be centrally managed.

Conclusion: Flexibility and Control with Webhook Authorization

Webhook Authorization offers flexibility by allowing custom authorization logic via external services. It is particularly useful in enterprise environments with complex authorization requirements that need to integrate with external identity or policy services.

What is Webhook Authorization?​

How Does Webhook Authorization Work?​

Enabling Webhook Authorization​

Example Webhook Configuration​

Webhook Authorization Request and Response​

Request Example​

Response Example​

Best Practices for Webhook Authorization​

When to Use Webhook Authorization​

Conclusion: Flexibility and Control with Webhook Authorization​