Validating admission webhook based on client source IP

8/27/2019

We would like to implement a validating admission webhook that allows or denies requess based on the client source IP, but in the AdminissionReview object, the IP is not available.

Using --requestheader-extra-headers-prefix it is possible to inject the IP into the admissionReview.Request.UserInfo.Extra map, but this is only suitable when using an external authenticator. It doesn't work when using the builtin authentication methods of Kubernetes, e.g. the OIDC authenticaton.

When the Api Server calls the admission webhook, it doesn't seem to provide any additional headers or other information that could be used.

-- flarno11
kubernetes

0 Answers