Merge pull request #1598 from deads2k/front-proxy

document authenticating proxy

docs/admin/authentication.md

@@ -33,7 +33,7 @@ or be treated as an anonymous user.
 
 ## Authentication strategies
 
-Kubernetes uses client certificates, bearer tokens, or HTTP basic auth to
+Kubernetes uses client certificates, bearer tokens, an authenticating proxy, or HTTP basic auth to
 authenticate API requests through authentication plugins. As HTTP request are
 made to the API server plugins attempts to associate the following attributes
 with the request:
@@ -360,6 +360,20 @@ An unsuccessful request would return:
 
 HTTP status codes can be used to supply additional error context.
 
+
+### Authenticating Proxy
+
+The API server can be configured to identify users from request header values, such as `X-Remote-User`.
+It is designed for use in combination with an authenticating proxy, which sets the request header value.
+In order to prevent header spoofing, the authenticating proxy is required to present a valid client
+certificate to the API server for validation against the specified CA before the request headers are 
+checked.
+
+* `--requestheader-username-headers` Required, case-insensitive. Header names to check, in order, for the user identity. The first header containing a value is used as the identity.
+* `--requestheader-client-ca-file` Required. PEM-encoded certificate bundle. A valid client certificate must be presented and validated against the certificate authorities in the specified file before the request headers are checked for user names.
+* `--requestheader-allowed-names` Optional.  List of common names (cn). If set, a valid client certificate with a Common Name (cn) in the specified list must be presented before the request headers are checked for user names. If empty, any Common Name is allowed. 
+
+
 ### Keystone Password
 
 Keystone authentication is enabled by passing the `--experimental-keystone-url=<AuthURL>`