Is it possible to use the "extra" attribute associated to an apiserver request to make authorisation decisions with RBAC?

5/8/2018

When a client authenticates to the apiserver, a number of attributes are associated with the request. These attributes include an "extra" attribute which is just a map of strings to lists of strings.

Authorisation plugins can review these attributes to make authorisation decisions. Does the RBAC authorisation plugin support reviewing these "extra" attributes?

-- dippynark
authentication
authorization
kubernetes
rbac

1 Answer

5/8/2018

A brief description of extra attributes from source code tells that:

    // GetExtra can contain any additional information that the authenticator
    // thought was interesting.  One example would be scopes on a token.
    // Keys in this map should be namespaced to the authenticator or
    // authenticator/authorizer pair making use of them.
    // For instance: "example.org/foo" instead of "foo"
    // This is a map[string][]string because it needs to be serializeable into
    // a SubjectAccessReviewSpec.authorization.k8s.io for proper authorization
    // delegation flows
    // In order to faithfully round-trip through an impersonation flow, these keys
    // MUST be lowercase.
    GetExtra() map[string][]string
}

func (i *DefaultInfo) GetExtra() map[string][]string {
    return i.Extra
}

After reading the code I haven't found any reference to extra attributes.
It looks like extra attributes are not used in RBAC plugin at the moment, but can be used in Webhook authorization mode.

-- VAS
Source: StackOverflow