You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/admin/authentication.md
+17-2Lines changed: 17 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,8 @@ assignees:
6
6
- deads2k
7
7
8
8
---
9
-
9
+
* TOC
10
+
{:toc}
10
11
11
12
## Users in Kubernetes
12
13
@@ -33,7 +34,7 @@ or be treated as an anonymous user.
33
34
34
35
## Authentication strategies
35
36
36
-
Kubernetes uses client certificates, bearer tokens, or HTTP basic auth to
37
+
Kubernetes uses client certificates, bearer tokens, an authenticating proxy, or HTTP basic auth to
37
38
authenticate API requests through authentication plugins. As HTTP request are
38
39
made to the API server plugins attempts to associate the following attributes
39
40
with the request:
@@ -360,6 +361,20 @@ An unsuccessful request would return:
360
361
361
362
HTTP status codes can be used to supply additional error context.
362
363
364
+
365
+
### Authenticating Proxy
366
+
367
+
The API server can be configured to identify users from request header values, such as `X-Remote-User`.
368
+
It is designed for use in combination with an authenticating proxy, which sets the request header value.
369
+
In order to prevent header spoofing, the authenticating proxy is required to present a valid client
370
+
certificate to the API server for validation against the specified CA before the request headers are
371
+
checked.
372
+
373
+
* `--requestheader-username-headers` Required, case-insensitive. Header names to check, in order, for the user identity. The first header containing a value is used as the identity.
374
+
* `--requestheader-client-ca-file` Required. PEM-encoded certificate bundle. A valid client certificate must be presented and validated against the certificate authorities in the specified file before the request headers are checked for user names.
375
+
* `--requestheader-allowed-names` Optional. List of common names (cn). If set, a valid client certificate with a Common Name (cn) in the specified list must be presented before the request headers are checked for user names. If empty, any Common Name is allowed.
376
+
377
+
363
378
### Keystone Password
364
379
365
380
Keystone authentication is enabled by passing the `--experimental-keystone-url=<AuthURL>`
Copy file name to clipboardExpand all lines: docs/getting-started-guides/libvirt-coreos.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -121,7 +121,7 @@ setfacl -m g:kvm:--x ~
121
121
122
122
By default, the libvirt-coreos setup will create a single Kubernetes master and 3 Kubernetes nodes. Because the VM drives use Copy-on-Write and because of memory ballooning and KSM, there is a lot of resource over-allocation.
123
123
124
-
There is both an automated way and a manual, customizable way of setting up libvert Kubernetes clusters on CoreOS.
124
+
There is both an automated way and a manual, customizable way of setting up libvirt Kubernetes clusters on CoreOS.
0 commit comments