## Multiple Authz Webhook Initial Exploration Call > Note: These notes are retrospective from a discussion on Jun 7 2022. Attendees: - Mo Khan (Staff - VMware, SIG Auth Chair) - Nabarun Pal (SMTS - Tanzu Upstream Engineering) - Soumik Majumder (MTS - Carvel) Notes: - Desire to move to APIs that can be versioned instead of flags - Extras in auth, providing metadata to webhooks - Cannot provide webhooks - Metadata filter in config - Can the webhook deny or not - So that SubjectAccessReview knows whether or not a webhook can deny - Move towards more definitive SubjectAccessReviews - Supports different needs, for example - Tightly coupled to stack, - Protecting CRDs - A webhook for Open Policy Agent - Optimisation cases - Doing a stricter validation before another? - Do we need hot reload? - Need to change policies without restarts - Non-goals - We do not wanna keep supplying kubeConfig file paths - Move definitions to new API? - Allow filtering to scope webhooks to GVKs - Use CEL for filtering? - Timeout for webhook auth - Does it deny on timeout? - Use case where users have to make a webhook layer which validates requests and then hands validation off to another webhook (maybe declared using OPA) - Metrics around this? - Latency, frequency of invocation - Benefits admins configuring