Merge pull request #118 from kcp-dev/add-authz-webhook-options

Add authz webhook options
kcp-dev · Jan 8, 2025 · bc5babb · bc5babb
2 parents 5c5a071 + f339104
commit bc5babb
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 0 deletions.
diff --git a/charts/kcp/readme.md → charts/kcp/README.md b/charts/kcp/readme.md → charts/kcp/README.md
@@ -29,6 +29,7 @@ Currently configurable options:
 * OIDC
 * Github user access to project
 * External hostname
+* Authorization Webhook
 
 ### Monitoring
 

diff --git a/charts/kcp/templates/server-deployment.yaml b/charts/kcp/templates/server-deployment.yaml
@@ -171,6 +171,9 @@ spec:
             - --profiler-address=0.0.0.0:{{- .Values.kcp.profiling.port -}}
             {{- end }}
             - --batteries-included={{- include "kcp.batteries" . }}
+            {{- if .Values.kcp.authorization.webhook.secretName }}
+            - --authorization-webhook-config-file=/etc/kcp/authorization/webhook/kubeconfig
+            {{- end }}
             {{- range .Values.kcp.extraFlags }}
             - {{ . }}
             {{- end }}
@@ -254,6 +257,10 @@ spec:
             - name: audit-policy
               mountPath: {{ .Values.audit.policy.dir }}
             {{- end }}
+            {{- if .Values.kcp.authorization.webhook.secretName }}
+            - name: kcp-webhook-authorization
+              mountPath: /etc/kcp/authorization/webhook
+            {{- end }}
             - name: logical-cluster-admin-kubeconfig
               mountPath: /etc/kcp/logical-cluster-admin/kubeconfig
             - name: logical-cluster-admin-kubeconfig-cert
@@ -312,6 +319,11 @@ spec:
           persistentVolumeClaim:
             claimName: {{ include "kcp.fullname" . }}-audit-logs
         {{- end }}
+        {{- with .Values.kcp.authorization.webhook.secretName }}
+        - name: kcp-webhook-authorization
+          secret:
+            secretName: {{ . }}
+        {{- end }}
         - name: logical-cluster-admin-kubeconfig
           secret:
             secretName: {{ include "kcp.fullname" . }}-internal-admin-kubeconfig

diff --git a/charts/kcp/values.yaml b/charts/kcp/values.yaml
@@ -76,6 +76,13 @@ kcp:
         user-1-token,user-1,1111-1111-1111-1111,"team-1"
         admin-token,admin,5555-5555-5555-5555,"system:kcp:admin"
         system-token,system,6666-6666-6666-6666,"system:masters"
+  authorization:
+    webhook:
+      # When configured, this Secret must contain a single key, "kubeconfig", containing
+      # a kubeconfig-style YAML file that configures kcp's authorization webhook.
+      # See https://docs.kcp.io/kcp/main/concepts/authorization/authorizers/#webhook-authorizer
+      # for more information.
+      secretName: ""
   hostAliases:
     enabled: false
   homeWorkspaces: