K
Q

How to filter authentication request before forwarding to authentication server?

12/6/2019

We need to disable logging in via service account token.

We were thinking of having a webhook for login event and forwarding it to opa, opa will check if the login request uses token. If it does, it throw an error, if it does it will just continue the flow of forwarding the request to the authenticator/identity provider.

We are using openshift 3.

-- letthefireflieslive
kubernetes
open-policy-agent
openshift

Similar Questions

One domain points to another kubernetes ingress host domain using CNAME
Azure csi disk FailedAttachVolume issue : could not get disk name from disk URL
Deploy MongoDB ops manger in local mode using kubernetes enterprise operator
POSTGRES_PASSWORD ignored and can access DB without or with any password
Helm upgrade not working when upgrading from 2.10.0 to 3.1.0
Kubernetes: Preserving HTTP method with NGINX Ingress simple fanout
Nginx upstream timed out (110: Connection timed out) while connecting to upstream when connecting to kubernetes ingress

1 Answer

12/6/2019

I'm not certain if that is possible to do with https://kubernetes.io/docs/reference/access-authn-authz/webhook/ but if you had a way to know with that request payload if it was a token then you could handle it that way.

If not, you would probably need to use a like gateway/proxy in front of the API server to intercept requests and filter them before kubernetes receives them at all.

-- Patrick East
Source: StackOverflow