Proposal: APIServer fields for authenticating proxy #2691
Comments
|
https://github.com/kubernetes/kops/blob/master/docs/development/api_updates.md outlines how to makes the changes. |
justinsb
added a commit
to justinsb/kops
that referenced
this issue
Oct 22, 2017
Create the keypairs, which are supposed to be signed by a different CA. Set the `--requestheader-...` flags on apiserver. Fix kubernetes#3152 Fix kubernetes#2691
k8s-github-robot
pushed a commit
that referenced
this issue
Nov 28, 2017
Automatic merge from submit-queue. Map horizontal-pod-autoscaler-use-rest-clients flag Maps `--horizontal-pod-autoscaler-use-rest-clients` flag which is required for [Horizontal Pod Autoscaling][1]. See Kubernetes code in [kubernetes/kubernetes/blob/v1.7.11/cmd/kube-controller-manager/app/autoscaling.go#L36-L39][2]. Seems this is the missing piece for fulfilment of HPA pre-requisites, which are: * ✅ Enable the [Aggregation Layer][4] via the following kube-apiserver flags * ✅ `--requestheader-client-ca-file=<path to aggregator CA cert>` (see #3679) * ✅ `--requestheader-allowed-names=aggregator` (see #3679) * ✅ `--requestheader-extra-headers-prefix=X-Remote-Extra-` (see #3679) * ✅ `--requestheader-group-headers=X-Remote-Group` (see #3679) * ✅ `--requestheader-username-headers=X-Remote-User` (see #3679) * ✅ `--proxy-client-cert-file=<path to aggregator proxy cert>` (see #3165) * ✅ `--proxy-client-key-file=<path to aggregator proxy key>` (see #3165) * ❓ [Horizontal Pod Scaling][3] ... set the appropriate flags for `kube-controller-manager`: * ❎ `--horizontal-pod-autoscaler-use-rest-clients` should be `true`. * ✅ `--kubeconfig <path-to-kubeconfig>` (already set) **Relevant Documentation:** * https://v1-7.docs.kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ * https://v1-7.docs.kubernetes.io/docs/tasks/access-kubernetes-api/configure-aggregation-layer/ **Relevant Issues & PRs:** * #3679 * #3152 * #2691 * #2652 * #3165 [1]: https://v1-7.docs.kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ [2]: https://github.com/kubernetes/kubernetes/blob/v1.7.11/cmd/kube-controller-manager/app/autoscaling.go#L36-L39 [3]: https://v1-7.docs.kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ [4]: https://v1-7.docs.kubernetes.io/docs/tasks/access-kubernetes-api/configure-aggregation-layer/
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Kubernetes supports configuration of user accounts based on headers specified in some authenticating proxy. See: https://kubernetes.io/docs/admin/authentication/#authenticating-proxy
If I understand the intended usage correctly, in order for kops clusters to use this properly, kops cluster definitions will need to pass the following flags to apiserver containers that it spawns.
It seems like adding these as fields of a KubeAPIServerConfig is a reasonable course of action. Probably something like
My understanding is that this is likely a straightforward change to a suitably versioned
componentconfig.gofile, but I'm not clear on what other supporting changes need to come along with it. Thanks for any feedback and recommendations.The text was updated successfully, but these errors were encountered: