Merge branch 'master' into master

docs/admin/authentication.md

@@ -6,7 +6,8 @@ assignees:
 - deads2k
 
 ---
-
+* TOC
+{:toc}
 
 ## Users in Kubernetes
 
@@ -33,7 +34,7 @@ or be treated as an anonymous user.
 
 ## Authentication strategies
 
-Kubernetes uses client certificates, bearer tokens, or HTTP basic auth to
+Kubernetes uses client certificates, bearer tokens, an authenticating proxy, or HTTP basic auth to
 authenticate API requests through authentication plugins. As HTTP request are
 made to the API server plugins attempts to associate the following attributes
 with the request:
@@ -360,6 +361,20 @@ An unsuccessful request would return:
 
 HTTP status codes can be used to supply additional error context.
 
+
+### Authenticating Proxy
+
+The API server can be configured to identify users from request header values, such as `X-Remote-User`.
+It is designed for use in combination with an authenticating proxy, which sets the request header value.
+In order to prevent header spoofing, the authenticating proxy is required to present a valid client
+certificate to the API server for validation against the specified CA before the request headers are 
+checked.
+
+* `--requestheader-username-headers` Required, case-insensitive. Header names to check, in order, for the user identity. The first header containing a value is used as the identity.
+* `--requestheader-client-ca-file` Required. PEM-encoded certificate bundle. A valid client certificate must be presented and validated against the certificate authorities in the specified file before the request headers are checked for user names.
+* `--requestheader-allowed-names` Optional.  List of common names (cn). If set, a valid client certificate with a Common Name (cn) in the specified list must be presented before the request headers are checked for user names. If empty, any Common Name is allowed. 
+
+
 ### Keystone Password
 
 Keystone authentication is enabled by passing the `--experimental-keystone-url=<AuthURL>`

docs/getting-started-guides/binary_release.md

@@ -33,7 +33,7 @@ cd kubernetes
 make release
 ```
 
-For more details on the release process see the [`build/` directory](http://releases.k8s.io/{{page.githubbranch}}/build/)
+For more details on the release process see the [`build/`](http://releases.k8s.io/{{page.githubbranch}}/build/) directory
 
 ### Download Kubernetes and automatically set up a default cluster
 
@@ -57,4 +57,4 @@ Possible values for `YOUR_PROVIDER` include:
 * `vsphere` - VMWare VSphere
 * `rackspace` - Rackspace
 
-For the complete, up-to-date list of providers supported by this script, see [the `/cluster` folder in the main Kubernetes repo](https://github.com/kubernetes/kubernetes/tree/{{page.githubbranch}}/cluster), where each folder represents a possible value for `YOUR_PROVIDER`. If you don't see your desired provider, try looking at our [getting started guides](/docs/getting-started-guides); there's a good chance we have docs for them.
+For the complete, up-to-date list of providers supported by this script, see the [`/cluster`](https://github.com/kubernetes/kubernetes/tree/{{page.githubbranch}}/cluster) folder in the main Kubernetes repo, where each folder represents a possible value for `YOUR_PROVIDER`. If you don't see your desired provider, try looking at our [getting started guides](/docs/getting-started-guides); there's a good chance we have docs for them.

docs/getting-started-guides/libvirt-coreos.md

@@ -121,7 +121,7 @@ setfacl -m g:kvm:--x ~
 
 By default, the libvirt-coreos setup will create a single Kubernetes master and 3 Kubernetes nodes. Because the VM drives use Copy-on-Write and because of memory ballooning and KSM, there is a lot of resource over-allocation.
 
-There is both an automated way and a manual, customizable way of setting up libvert Kubernetes clusters on CoreOS.
+There is both an automated way and a manual, customizable way of setting up libvirt Kubernetes clusters on CoreOS.
 
 #### Automated setup