document the authorization config

brancz · Feb 3, 2023 · 83ca5a0 · 83ca5a0
1 parent e6f5d1a
commit 83ca5a0
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -76,7 +76,7 @@ Proxy flags:
       --auth-header-groups-field-separator string   The separator string used for concatenating multiple group names in a groups header field's value (default "|")
       --auth-header-user-field-name string          The name of the field inside a http(2) request header to tell the upstream server about the user's name (default "x-remote-user")
       --auth-token-audiences strings                Comma-separated list of token audiences to accept. By default a token does not have to have any specific audience. It is recommended to set a specific audience.
-      --config-file string                          Configuration file to configure kube-rbac-proxy.
+      --config-file string                          Configuration file to configure static and rewrites authorization of the kube-rbac-proxy.
       --ignore-paths strings                        Comma-separated list of paths against which kube-rbac-proxy pattern-matches the incoming request. If the requst matches, it will proxy the request without performing an authentication or authorization check. Cannot be used with --allow-paths.
       --oidc-ca-file string                         If set, the OpenID server's certificate will be verified by one of the authorities in the oidc-ca-file, otherwise the host's root CA set will be used.
       --oidc-clientID string                        The client ID for the OpenID Connect client, must be set if oidc-issuer-url is set.
@@ -114,6 +114,43 @@ Global flags:
       --version version[=true]           Print version information and quit
 ```
 
+### Authorization configuration
+
+The format of the file accepted by the `--config-file` reads as follows:
+```yaml
+authorization:
+  static:
+  - user:
+      name: <string>
+      groups: [ <string> ]
+    verb: <string>
+    namespace: <string>
+    apiGroup: <string>
+    resource: <string>
+    subresource: <string>
+    name: <string>
+    resourceRequest: <bool>
+    path: <string>
+  resourceAttributes:
+    namespace: <string>
+    apiGroup: <string>
+    apiVersion: <string>
+    resource: <string>
+    subresource: <string>
+    name: <string>
+  rewrites:
+    byQueryParameter:
+      name: <string>
+    byHttpHeader:
+      name: <string>
+```
+
+The `authorization.static` is a YAML list, each element contains a set of attributes. kube-rbac-proxy translates incoming requests into kube-like authorization attributes that are checked against the list. If the request matches against any of the elements of the list, access is allowed.
+
+The `authorization.resourceAttributes` and `authorization.rewrites` set how authorization attributes retrieved from HTTP requests to the proxy should be presented in a `SubjectAccessReview` to the kube-apiserver:
+ - `resourceAttributes` will set the given fields while sending the SAR to the kube-apiserver, while the keeping the `verb` and `user` based on the HTTP request
+ - `rewrites` allows retrieving certain parameters from the incoming HTTP request and use them in the fields of `resourceAttributes` if these take the form of `{{ .Value }}`, thus allowing parametrization of the SAR sent to the kube-apiserver
+
 
 ### How to update Go dependencies
 

diff --git a/cmd/kube-rbac-proxy/app/options/proxyoptions.go b/cmd/kube-rbac-proxy/app/options/proxyoptions.go
@@ -64,7 +64,7 @@ func (o *ProxyOptions) AddFlags(flagset *pflag.FlagSet) {
 	flagset.StringVar(&o.UpstreamClientCertFile, "upstream-client-cert-file", "", "If set, the client will be used to authenticate the proxy to upstream. Requires --upstream-client-key-file to be set, too.")
 	flagset.StringVar(&o.UpstreamClientKeyFile, "upstream-client-key-file", "", "The key matching the certificate from --upstream-client-cert-file. If set, requires --upstream-client-cert-file to be set, too.")
 
-	flagset.StringVar(&o.ConfigFileName, "config-file", "", "Configuration file to configure kube-rbac-proxy.")
+	flagset.StringVar(&o.ConfigFileName, "config-file", "", "Configuration file to configure static and rewrites authorization of the kube-rbac-proxy.")
 	flagset.StringSliceVar(&o.AllowPaths, "allow-paths", nil, "Comma-separated list of paths against which kube-rbac-proxy pattern-matches the incoming request. If the request doesn't match, kube-rbac-proxy responds with a 404 status code. If omitted, the incoming request path isn't checked. Cannot be used with --ignore-paths.")
 	flagset.StringSliceVar(&o.IgnorePaths, "ignore-paths", nil, "Comma-separated list of paths against which kube-rbac-proxy pattern-matches the incoming request. If the requst matches, it will proxy the request without performing an authentication or authorization check. Cannot be used with --allow-paths.")
 

diff --git a/pkg/authorization/rewrite/rewrite.go b/pkg/authorization/rewrite/rewrite.go
@@ -33,9 +33,8 @@ var _ authorizer.Authorizer = &rewritingAuthorizer{}
 const rewriterParams = iota
 
 type RewriteAttributesConfig struct {
-	Rewrites               *SubjectAccessReviewRewrites `json:"rewrites,omitempty"`
-	ResourceAttributes     *ResourceAttributes          `json:"resourceAttributes,omitempty"`
-	ResourceAttributesFile string                       `json:"-"`
+	Rewrites           *SubjectAccessReviewRewrites `json:"rewrites,omitempty"`
+	ResourceAttributes *ResourceAttributes          `json:"resourceAttributes,omitempty"`
 }
 
 // SubjectAccessReviewRewrites describes how SubjectAccessReview may be