Webhooks¶
Jupyter K8s registers admission webhooks with the Kubernetes API server to default and validate resources before persisting them.
Overview¶
Webhook |
Resource |
Type |
Failure Policy |
Verbs |
|---|---|---|---|---|
|
Mutating |
|
create, update |
|
|
Validating |
|
create, update, delete |
|
|
Validating |
|
update |
|
Pod exec |
|
Validating |
|
connect |
Pod exec webhook¶
A validating webhook intercepts pods/exec requests (connect verb) to restrict the controller’s service account:
Non-controller users — the webhook allows all exec requests without further checks.
Controller service account — the webhook only allows exec into pods that carry the workspace label.
This prevents users from using the controller as a vector to exec into arbitrary pods.