We would like to implement a validating admission webhook that allows or denies requess based on the client source IP, but in the AdminissionReview
object, the IP is not available.
Using --requestheader-extra-headers-prefix
it is possible to inject the IP into the admissionReview.Request.UserInfo.Extra
map, but this is only suitable when using an external authenticator. It doesn't work when using the builtin authentication methods of Kubernetes, e.g. the OIDC authenticaton.
When the Api Server calls the admission webhook, it doesn't seem to provide any additional headers or other information that could be used.