当客户端向apiserver进行身份验证时,会有attributes are associated with the request个。这些属性包括“额外”属性,它只是字符串列表的字符串映射。
授权插件可以查看这些属性以做出授权决策。 RBAC授权插件是否支持查看这些“额外”属性?
答案 0 :(得分:1)
来自source code的额外属性的简要说明告诉我们:
// GetExtra can contain any additional information that the authenticator
// thought was interesting. One example would be scopes on a token.
// Keys in this map should be namespaced to the authenticator or
// authenticator/authorizer pair making use of them.
// For instance: "example.org/foo" instead of "foo"
// This is a map[string][]string because it needs to be serializeable into
// a SubjectAccessReviewSpec.authorization.k8s.io for proper authorization
// delegation flows
// In order to faithfully round-trip through an impersonation flow, these keys
// MUST be lowercase.
GetExtra() map[string][]string
}
func (i *DefaultInfo) GetExtra() map[string][]string {
return i.Extra
}
在阅读完代码后,我还没有找到任何额外属性的引用 看起来目前RBAC插件中没有使用额外的属性,但可以在Webhook authorization mode中使用。