This repository has been archived by the owner. It is now read-only.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
examples PoC for a policy.json similar to OpenStack Jul 31, 2017
kube-system Provide Dockerfile and Pod to run the Webhook in kube-system Jan 25, 2018
.gitignore PoC for a policy.json similar to OpenStack Jul 31, 2017
LICENSE Initial Drop Jul 26, 2017
Makefile Move webhook handlers into their own package Jul 28, 2017 Improve README Jan 25, 2018
bindep.txt Initial Drop Jul 26, 2017
glide.lock Update glide dependencies Jul 26, 2017
glide.yaml Update glide dependencies Jul 26, 2017
main.go Make keystone policy file not mandatory Jan 24, 2018


Proof-Of-Concept : Kubernetes webhook authentication and authorization for OpenStack Keystone

Steps to use this webook with Kubernetes

  • Save the following into webhook.kubeconfig.
apiVersion: v1
- cluster:
    insecure-skip-tls-verify: true
    server: https://localhost:8443/webhook
  name: webhook
- context:
    cluster: webhook
    user: webhook
  name: webhook
current-context: webhook
kind: Config
preferences: {}
- name: webhook

Configuration on K8s master for authentication

  • Add the following flags to your Kubernetes api server.
    • --authentication-token-webhook-config-file=/path/to/your/webhook.kubeconfig
    • --authorization-mode=Node,RBAC
  • Start webhook process with the following flags
    • --tls-cert-file /var/run/kubernetes/serving-kube-apiserver.crt
    • --tls-private-key-file /var/run/kubernetes/serving-kube-apiserver.key
    • --keystone-policy-file examples/policy.json
    • --keystone-url https://my.keystone:5000/v3

Configuration on K8s master for authorization

  • Copy the examples/policy.json and edit it to your needs.
  • Add the following flags to your Kubernetes api server.
    • --authorization-mode=Webhook,Node --authorization-webhook-config-file=/path/to/your/webhook.kubeconfig
  • When you start the webhook process make sure you also have the following flags (in addition to the flags in the case of authentication)
    • --keystone-policy-file examples/policy.json

K8s kubectl Client configuration

Old kubectl clients

  • Run openstack token issue to generate a token
  • Run kubectl --token $TOKEN get po or curl -k -v -XGET -H "Accept: application/json" -H "Authorization: Bearer $TOKEN" https://localhost:6443/api/v1/namespaces/default/pods

New kubectl clients v1.8.0 and later

The client is able to read the OS_ env variables used also by the openstackclient. You dont have to pass a token with --token, but the client will contact Keystone directly, will get a token and will use it. To configure the client to the following:

  • Run kubectl config set-credentials openstackuser --auth-provider=openstack

This command creates the following entry in your ~/.kube/config

- name: openstackuser
    as-user-extra: {}
      name: openstack
  • Run kubectl config set-context --cluster=kubernetes --user=openstackuser openstackuser@kubernetes
  • Run kubectl config use-context openstackuser@kubernetes to activate the context

Source your env vars. Make sure you include OS_DOMAIN_NAME or the client will fallback to Keystone V2 that is not supported by the webhook.This env should be ok:

  • Try: kubectl get pods

In case you are using this Webhook just for the authentication, you should get an authorization error:

Error from server (Forbidden): pods is forbidden: User "username" cannot list pods in the namespace "default"

You need to configure the RBAC with roles to be authorized to do something, for example:

kubectl create rolebinding username-view --clusterrole view --user username --namespace default

Try now again to see the pods with kubectl get pods


More details about Kubernetes Authentication Webhook using Bearer Tokens is at :

and the Authorization Webhook is at:


  • You can directly test the webhook with
cat << EOF | curl -kvs -XPOST -d @- https://localhost:8443/webhook | python -mjson.tool
	"apiVersion": "",
	"kind": "TokenReview",
	"metadata": {
		"creationTimestamp": null
	"spec": {
		"token": "$TOKEN"

cat << EOF | curl -kvs -XPOST -d @- https://localhost:8443/webhook | python -mjson.tool
	"apiVersion": "",
	"kind": "SubjectAccessReview",
	"spec": {
		"resourceAttributes": {
			"namespace": "kittensandponies",
			"verb": "get",
			"group": "",
			"resource": "pods"
		"user": "jane",
		"group": [