From c01dcf1a946ba78eb233c1e59f102cfc093f0df7 Mon Sep 17 00:00:00 2001 From: deads2k Date: Tue, 1 Nov 2016 08:42:59 -0400 Subject: [PATCH] document authenticating proxy: --- docs/admin/authentication.md | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/docs/admin/authentication.md b/docs/admin/authentication.md index 6819677107..6e13c28929 100644 --- a/docs/admin/authentication.md +++ b/docs/admin/authentication.md @@ -33,7 +33,7 @@ or be treated as an anonymous user. ## Authentication strategies -Kubernetes uses client certificates, bearer tokens, or HTTP basic auth to +Kubernetes uses client certificates, bearer tokens, an authenticating proxy, or HTTP basic auth to authenticate API requests through authentication plugins. As HTTP request are made to the API server plugins attempts to associate the following attributes with the request: @@ -360,6 +360,20 @@ An unsuccessful request would return: HTTP status codes can be used to supply additional error context. + +### Authenticating Proxy + +The API server can be configured to identify users from request header values, such as `X-Remote-User`. +It is designed for use in combination with an authenticating proxy, which sets the request header value. +In order to prevent header spoofing, the authenticating proxy is required to present a valid client +certificate to the API server for validation against the specified CA before the request headers are +checked. + +* `--requestheader-username-headers` Required, case-insensitive. Header names to check, in order, for the user identity. The first header containing a value is used as the identity. +* `--requestheader-client-ca-file` Required. PEM-encoded certificate bundle. A valid client certificate must be presented and validated against the certificate authorities in the specified file before the request headers are checked for user names. +* `--requestheader-allowed-names` Optional. List of common names (cn). If set, a valid client certificate with a Common Name (cn) in the specified list must be presented before the request headers are checked for user names. If empty, any Common Name is allowed. + + ### Keystone Password Keystone authentication is enabled by passing the `--experimental-keystone-url=`