Merge pull request #1305 from MikeSpreitzer/updoc3
Noted HTTP syntax restriction on bearer tokenspull/1331/head^2
commit
c92b209bfd
|
@ -66,8 +66,7 @@ See [APPENDIX](#appendix) for how to generate a client cert.
|
||||||
|
|
||||||
### Static Token File
|
### Static Token File
|
||||||
|
|
||||||
Token file is enabled by passing the `--token-auth-file=SOMEFILE` option to the
|
The API server reads bearer tokens from a file when given the `--token-auth-file=SOMEFILE` option on the command line. Currently, tokens last indefinitely, and the token list cannot be
|
||||||
API server. Currently, tokens last indefinitely, and the token list cannot be
|
|
||||||
changed without restarting API server.
|
changed without restarting API server.
|
||||||
|
|
||||||
The token file format is implemented in `plugin/pkg/auth/authenticator/token/tokenfile/...`
|
The token file format is implemented in `plugin/pkg/auth/authenticator/token/tokenfile/...`
|
||||||
|
@ -78,8 +77,19 @@ optional group names. Note, if you have more than one group the column must be d
|
||||||
token,user,uid,"group1,group2,group3"
|
token,user,uid,"group1,group2,group3"
|
||||||
```
|
```
|
||||||
|
|
||||||
When using token authentication from an http client the API server expects an `Authorization`
|
#### Putting a Bearer Token in a Request
|
||||||
header with a value of `Bearer SOMETOKEN`.
|
|
||||||
|
When using bearer token authentication from an http client, the API
|
||||||
|
server expects an `Authorization` header with a value of `Bearer
|
||||||
|
THETOKEN`. The bearer token must be a character sequence that can be
|
||||||
|
put in an HTTP header value using no more than the encoding and
|
||||||
|
quoting facilities of HTTP. For example: if the bearer token is
|
||||||
|
`31ada4fd-adec-460c-809a-9e56ceb75269` then it would appear in an HTTP
|
||||||
|
header as shown below.
|
||||||
|
|
||||||
|
```http
|
||||||
|
Authentication: Bearer 31ada4fd-adec-460c-809a-9e56ceb75269
|
||||||
|
```
|
||||||
|
|
||||||
### Static Password File
|
### Static Password File
|
||||||
|
|
||||||
|
@ -171,7 +181,8 @@ type: kubernetes.io/service-account-token
|
||||||
Note: values are base64 encoded because secrets are always base64 encoded.
|
Note: values are base64 encoded because secrets are always base64 encoded.
|
||||||
|
|
||||||
The signed JWT can be used as a bearer token to authenticate as the given service
|
The signed JWT can be used as a bearer token to authenticate as the given service
|
||||||
account. Normally these secrets are mounted into pods for in-cluster access to
|
account. See [above](#putting-a-bearer-token-in-a-request) for how the token is included
|
||||||
|
in a request. Normally these secrets are mounted into pods for in-cluster access to
|
||||||
the API server, but can be used from outside the cluster as well.
|
the API server, but can be used from outside the cluster as well.
|
||||||
|
|
||||||
Service accounts authenticate with the username `system:serviceaccount:(NAMESPACE):(SERVICEACCOUNT)`,
|
Service accounts authenticate with the username `system:serviceaccount:(NAMESPACE):(SERVICEACCOUNT)`,
|
||||||
|
@ -192,11 +203,8 @@ email, signed by the server.
|
||||||
|
|
||||||
To identify the user, the authenticator uses the `id_token` (not the `access_token`)
|
To identify the user, the authenticator uses the `id_token` (not the `access_token`)
|
||||||
from the OAuth2 [token response](https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse)
|
from the OAuth2 [token response](https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse)
|
||||||
as a bearer token.
|
as a bearer token. See [above](#putting-a-bearer-token-in-a-request) for how the token
|
||||||
|
is included in a request.
|
||||||
```
|
|
||||||
Authentication: Bearer (id_token)
|
|
||||||
```
|
|
||||||
|
|
||||||
To enable the plugin, pass the following required flags:
|
To enable the plugin, pass the following required flags:
|
||||||
|
|
||||||
|
@ -272,10 +280,11 @@ contexts:
|
||||||
name: webhook
|
name: webhook
|
||||||
```
|
```
|
||||||
|
|
||||||
When a client attempts to authenticate with the API server using a bearer token,
|
When a client attempts to authenticate with the API server using a bearer token
|
||||||
using the `Authorization: Bearer (TOKEN)` HTTP header the authentication webhook
|
as discussed [above](#putting-a-bearer-token-in-a-request),
|
||||||
|
the authentication webhook
|
||||||
queries the remote service with a review object containing the token. Kubernetes
|
queries the remote service with a review object containing the token. Kubernetes
|
||||||
will not challenge request that lack such a header.
|
will not challenge a request that lacks such a header.
|
||||||
|
|
||||||
Note that webhook API objects are subject to the same [versioning compatibility rules](/docs/api/)
|
Note that webhook API objects are subject to the same [versioning compatibility rules](/docs/api/)
|
||||||
as other Kubernetes API objects. Implementers should be aware of looser
|
as other Kubernetes API objects. Implementers should be aware of looser
|
||||||
|
|
Loading…
Reference in New Issue