33 lines
1.3 KiB
YAML
33 lines
1.3 KiB
YAML
apiVersion: apiserver.config.k8s.io/v1beta1
|
|
kind: AuthorizationConfiguration
|
|
authorizers:
|
|
- type: Node
|
|
name: node
|
|
- type: RBAC
|
|
name: rbac
|
|
# - type: Webhook
|
|
# name: Example
|
|
# webhook:
|
|
# authorizedTTL: 300s
|
|
# unauthorizedTTL: 30s
|
|
# timeout: 3s
|
|
# subjectAccessReviewVersion: v1
|
|
# matchConditionSubjectAccessReviewVersion: v1
|
|
# failurePolicy: NoOpinion
|
|
# connectionInfo:
|
|
# type: KubeConfigFile
|
|
# kubeConfigFile: /etc/kubernetes/apiserver/example.yaml
|
|
# matchConditions:
|
|
# # only send resource requests to the webhook
|
|
# - expression: has(request.resourceAttributes)
|
|
# # Don't intercept requests from kube-system service accounts
|
|
# - expression: "!('system:serviceaccounts:kube-system' in request.groups)"
|
|
# ## Below expressions avoid issues with kubeadm init and other system components that should be authorized by Node and RBAC
|
|
# # Don't process node and bootstrap token requests with the webhook
|
|
# - expression: "!('system:nodes' in request.groups)"
|
|
# - expression: "!('system:bootstrappers' in request.groups)"
|
|
# - expression: "!('system:bootstrappers:kubeadm:default-node-token' in request.groups)"
|
|
# # Don't process kubeadm requests with the webhook
|
|
# - expression: "!('kubeadm:cluster-admins' in request.groups)"
|
|
# - expression: "!('system:masters' in request.groups)"
|