There are two main ways how we can implement custom logic for the API server which gets called during Authentication, Authorization and Admission:
- Webhooks: Configure webhooks in the API server
- Direct: Include the custom logic in the API server code
To explore these to variants we implement the following logic in both ways:
- Authentication: If the token
magic-tokenis provided the request is authenticated as usermagic-userwhich is a member of the groupmagic-group. - Authorization: Allow users which are member of the group
magic-groupto manage configmaps. - Validating Admission: Reject configmaps which contain the value
not-allowed-value. - Mutating Admission: Add the value
magic-value: foobarto all configmaps.
See the subdirectories for a description of the two implementations: