K
Q

Validating admission webhook based on client source IP

8/27/2019

We would like to implement a validating admission webhook that allows or denies requess based on the client source IP, but in the AdminissionReview object, the IP is not available.

Using --requestheader-extra-headers-prefix it is possible to inject the IP into the admissionReview.Request.UserInfo.Extra map, but this is only suitable when using an external authenticator. It doesn't work when using the builtin authentication methods of Kubernetes, e.g. the OIDC authenticaton.

When the Api Server calls the admission webhook, it doesn't seem to provide any additional headers or other information that could be used.

-- flarno11
kubernetes

Similar Questions

Deploy containers from Node/Angular UI to K8s cluster
Is it possible to deploy kubernetes application through bazel?
Unable to connect to www.googleapis.com from GKE
Can't able to get externalID ( i.e instanceId provided by aws) of my kubernetes master node

0 Answers