Skip to main content

Denying Proxy Requests


Pro Feature

This feature is available in the vCluster Pro tier. Contact us for more details and to start a trial.

Configure denying proxy requests based on rules.

  • Only validation based on matched namespaces, and resource group / kind / version and request verbs are supported.
  • No mutation of requests, only allow / deny.

Example​

experimental:
  denyProxyRequests:
  - name: "Deny \"protected\" namespace"
    namespaces:
    - protected
    rules:
    - operations:
      - delete
      - update
      - patch
      apiGroups:
      - ''
      apiVersions:
      - "*"
      resources:
      - "namespaces/*"
      scope: Cluster
    - operations:
      - create
      - delete
      - update
      - patch
      apiGroups:
      - "*"
      apiVersions:
      - "*"
      resources:
      - "*"
      scope: Namespaced
    excludedUsers:
    - system:admin
    - system:serviceaccount:default:excluded

Config reference​

denyProxyRequests required object[] pro​

DenyProxyRequests denies certain requests in the vCluster proxy.

name required string pro​

The name of the check.

namespaces required string[] pro​

Namespace describe a list of namespaces that will be affected by the check. An empty list means that all namespaces will be affected. In case of ClusterScoped rules, only the Namespace resource is affected.

rules required object[] pro​

Rules describes on which verbs and on what resources/subresources the webhook is enforced. The webhook is enforced if it matches any Rule. The version of the request must match the rule version exactly. Equivalent matching is not supported.

apiGroups required string[] pro​

APIGroups is the API groups the resources belong to. '*' is all groups.

apiVersions required string[] pro​

APIVersions is the API versions the resources belong to. '*' is all versions.

resources required string[] pro​

Resources is a list of resources this rule applies to.

scope required string pro​

Scope specifies the scope of this rule.

operations required string[] pro​

Verb is the kube verb associated with the request for API requests, not the http verb. This includes things like list and watch. For non-resource requests, this is the lowercase http verb. If '*' is present, the length of the slice must be one.

excludedUsers required string[] pro​

ExcludedUsers describe a list of users for which the checks will be skipped. Impersonation attempts on these users will still be subjected to the checks.