Denying Proxy Requests
This feature is available in the vCluster Pro tier. Contact us for more details and to start a trial.
Configure denying proxy requests based on rules.
- Only validation based on matched namespaces, and resource group / kind / version and request verbs are supported.
- No mutation of requests, only allow / deny.
Example​
experimental:
denyProxyRequests:
- name: "Deny \"protected\" namespace"
namespaces:
- protected
rules:
- operations:
- delete
- update
- patch
apiGroups:
- ''
apiVersions:
- "*"
resources:
- "namespaces/*"
scope: Cluster
- operations:
- create
- delete
- update
- patch
apiGroups:
- "*"
apiVersions:
- "*"
resources:
- "*"
scope: Namespaced
excludedUsers:
- system:admin
- system:serviceaccount:default:excluded
Config reference​
denyProxyRequests
required object[] pro​
DenyProxyRequests denies certain requests in the vCluster proxy.
denyProxyRequests
required object[] pro​name
required string pro​
The name of the check.
name
required string pro​namespaces
required string[] pro​
Namespace describe a list of namespaces that will be affected by the check.
An empty list means that all namespaces will be affected.
In case of ClusterScoped rules, only the Namespace resource is affected.
namespaces
required string[] pro​rules
required object[] pro​
Rules describes on which verbs and on what resources/subresources the webhook is enforced.
The webhook is enforced if it matches any Rule.
The version of the request must match the rule version exactly. Equivalent matching is not supported.
rules
required object[] pro​apiGroups
required string[] pro​
APIGroups is the API groups the resources belong to. '*' is all groups.
apiGroups
required string[] pro​apiVersions
required string[] pro​
APIVersions is the API versions the resources belong to. '*' is all versions.
apiVersions
required string[] pro​resources
required string[] pro​
Resources is a list of resources this rule applies to.
resources
required string[] pro​scope
required string pro​
Scope specifies the scope of this rule.
scope
required string pro​operations
required string[] pro​
Verb is the kube verb associated with the request for API requests, not the http verb. This includes things like list and watch.
For non-resource requests, this is the lowercase http verb.
If '*' is present, the length of the slice must be one.
operations
required string[] pro​excludedUsers
required string[] pro​
ExcludedUsers describe a list of users for which the checks will be skipped.
Impersonation attempts on these users will still be subjected to the checks.
excludedUsers
required string[] pro​