When a client authenticates to the apiserver, a number of attributes are associated with the request. These attributes include an "extra" attribute which is just a map of strings to lists of strings.
Authorisation plugins can review these attributes to make authorisation decisions. Does the RBAC authorisation plugin support reviewing these "extra" attributes?
A brief description of extra attributes from source code tells that:
// GetExtra can contain any additional information that the authenticator
// thought was interesting. One example would be scopes on a token.
// Keys in this map should be namespaced to the authenticator or
// authenticator/authorizer pair making use of them.
// For instance: "example.org/foo" instead of "foo"
// This is a map[string][]string because it needs to be serializeable into
// a SubjectAccessReviewSpec.authorization.k8s.io for proper authorization
// delegation flows
// In order to faithfully round-trip through an impersonation flow, these keys
// MUST be lowercase.
GetExtra() map[string][]string
}
func (i *DefaultInfo) GetExtra() map[string][]string {
return i.Extra
}
After reading the code I haven't found any reference to extra attributes.
It looks like extra attributes are not used in RBAC plugin at the moment, but can be used in Webhook authorization mode.