kubernetes/kubernetes
Auth and admission
The Kubernetes auth pipeline is a layered stack of pluggable strategies. Most of the code is in the apiserver staging module (staging/src/k8s.io/apiserver/) so it can be reused by extension API servers, with kube-apiserver-specific composition in pkg/kubeapiserver/. This page is the catalog.
Authentication
| Strategy | Code | When it applies |
|---|---|---|
| X509 client cert | staging/src/k8s.io/apiserver/pkg/authentication/request/x509 |
TLS client certs signed by the cluster CA |
| Bearer token (static file) | staging/src/k8s.io/apiserver/pkg/authentication/request/bearertoken + token file loader |
Legacy. Tokens read from --token-auth-file |
| Service account token | pkg/serviceaccount/ + staging/src/k8s.io/apiserver/pkg/authentication/serviceaccount |
JWT minted by the apiserver for pods. Two flavours: legacy auto-generated, projected bound |
| OpenID Connect | staging/src/k8s.io/apiserver/pkg/authentication/token/oidc |
Validates JWTs from external IdPs |
| Webhook | staging/src/k8s.io/apiserver/pkg/authentication/request/webhook |
Delegates to an external HTTPS service |
| Bootstrap token | pkg/registry/core/secret/, validated via staging/src/k8s.io/cluster-bootstrap |
Used by kubeadm init/join |
| Anonymous | staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous |
Final fallback. Returns the system:anonymous user |
| Header authn | staging/src/k8s.io/apiserver/pkg/authentication/request/headerrequest |
Front-proxy with pre-authenticated header |
The authenticators are composed in pkg/kubeapiserver/authenticator/config.go. The order is fixed; the first to claim the request wins.
The new structured authentication config (--authentication-config) lets admins declare multiple JWT issuers, claim mappings, and authorizer-friendly user/group prefixes in YAML instead of via flags. Schema is in staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1.
Authorization
The kube-apiserver's authorizer is a chain. The first authorizer to return Allow wins; Deny short-circuits the chain; NoOpinion falls through.
| Authorizer | Code | Use case |
|---|---|---|
| Always allow | staging/src/k8s.io/apiserver/pkg/authorization/authorizerfactory/builtin.go |
Testing only |
| Always deny | same | Testing only |
| ABAC | staging/src/k8s.io/apiserver/pkg/authorization/abac |
Legacy file-based |
| RBAC | staging/src/k8s.io/apiserver/pkg/authorization/rbac/ |
Default. Walks Role/ClusterRole/RoleBinding/ClusterRoleBinding |
| Node | plugin/pkg/auth/authorizer/node/ |
Restricts kubelets to objects related to their node |
| Webhook | staging/src/k8s.io/apiserver/pkg/authorization/webhook/ |
External SubjectAccessReview |
The Node authorizer is special: it builds a graph of object references (Pod → Secret, Pod → Node, Pod → ConfigMap, Pod → PVC, etc.) so it can answer "may this kubelet read this Secret?" as "is the Secret reachable from any pod scheduled to this kubelet's node?".
Admission
Admission runs after authorization and before storage. Plugins implement either:
MutationInterface—Admit(ctx, attrs, ...). Allowed to mutate the object.ValidationInterface—Validate(ctx, attrs, ...). Read-only.
Some plugins implement both. The chain runs all mutating plugins first, then all validating plugins. If a mutating plugin reorders, validating plugins still see the post-mutation object.
Built-in plugins live under plugin/pkg/admission/:
| Plugin | Role |
|---|---|
noderestriction |
Restrict kubelets to their own Node + Pod writes |
serviceaccount |
Inject SA tokens, default the Pod's SA |
podsecurity |
Pod Security Standards enforcement (uses staging/src/k8s.io/pod-security-admission) |
resourcequota |
ResourceQuota enforcement |
limitranger |
Default container resources from LimitRange |
priority |
Resolve priorityClassName to numeric priority |
defaulttolerationseconds |
Default node-not-ready/unreachable tolerations |
eventratelimit |
Throttle Event creation per origin |
namespacelifecycle |
Block writes to terminating namespaces |
mutatingwebhook / validatingwebhook |
Dynamic admission webhook plugins |
validatingadmissionpolicy |
CEL-based declarative validation |
storageobjectinuseprotection |
Block PV/PVC delete while in use |
runtimeclass |
Validate RuntimeClass references and inject overhead |
certificatesubjectrestriction, certificateapproval, certificatesigning |
CSR plugins |
denyserviceexternalips |
Optionally reject Services with externalIPs |
clusterresourcequota (out-of-tree, OpenShift) |
Per-tenant quota across namespaces |
Plugin registration is in pkg/kubeapiserver/options/plugins.go. The set actually enabled for a given apiserver depends on --enable-admission-plugins / --disable-admission-plugins.
Dynamic admission webhooks
MutatingWebhookConfiguration and ValidatingWebhookConfiguration resources let cluster admins point at an external HTTPS service that receives an AdmissionReview and returns a verdict. Implementation:
staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/— generic webhook dispatcherstaging/src/k8s.io/apiserver/pkg/admission/plugin/policy/validating/— ValidatingAdmissionPolicy CEL executionpkg/registry/admissionregistration/— REST registry for the configuration objects
Webhooks are the standard extension point for things like service-mesh sidecar injection, image-policy controllers, and custom validation that's too dynamic to encode in a CEL policy.
ValidatingAdmissionPolicy (CEL)
A ValidatingAdmissionPolicy is a CEL program plus parameter source. It runs in-process (no extra hop) and is type-checked against the resource schema at registration. Implementation is split:
staging/src/k8s.io/apiserver/pkg/admission/plugin/policy/— runtimepkg/registry/admissionregistration/— REST registrypkg/controller/validatingadmissionpolicystatus/— status reconciliation (reports type-check results)
A future MutatingAdmissionPolicy is in development behind a feature gate.
Audit
staging/src/k8s.io/apiserver/pkg/audit/ records every authenticated request. Audit policies (audit.k8s.io/v1) are static YAML files that decide which requests get logged at which stage and at which level. Sinks include:
--audit-log-path— log file--audit-webhook-config-file— webhook- Dynamic backend (deprecated; backed by an in-cluster audit sink)
Where to make changes
- New authn strategy: implement
authenticator.Request, register inpkg/kubeapiserver/authenticator/config.go. - New authz mode: implement
authorizer.Authorizer, add to the structured--authorization-configschema. - New built-in admission plugin: implement
admission.MutationInterfaceand/orValidationInterface, drop intoplugin/pkg/admission/<name>/, register inpkg/kubeapiserver/options/plugins.go. - New dynamic admission feature: extend
MutatingWebhookConfiguration/ValidatingAdmissionPolicytypes instaging/src/k8s.io/api/admissionregistration/.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.