Writing an authorization plugin
Other implementations can be developed fairly easily. The API server calls the Authorizer interface:
type Authorizer interface { Authorize(a Attributes) error }
It does this to determine whether or not to allow each API action.
An authorization plugin is a module that implements this interface. The authorization plugin code goes in pkg/auth/authorizer/$MODULENAME.
An authorization module can be completely implemented in go, or can call out to a remote authorization service. Authorization modules can implement their own caching to reduce the cost of repeated authorization calls with the same or similar arguments. developers should then consider the interaction between caching and revocation of permissions.
Writing an admission control plugin
Admission control plugins have a major role in making Kubernetes a flexible and adaptable platform. Every request to the API (after passing authentication and authorization) goes through a chain of configured admission control...
