Merge pull request #2793 from liggitt/tls_auth

x509 request authenticator
2025-09-17 07:03:31 +00:00 · 2014-12-09 15:17:39 -08:00
parent 4a9afe61da 09ba404fb7
commit 9a7f4469c1
4 changed files with 711 additions and 0 deletions
--- a/cmd/kube-apiserver/apiserver.go
+++ b/cmd/kube-apiserver/apiserver.go
@@ -19,6 +19,7 @@ limitations under the License.
 package main

 import (
+	"crypto/tls"
 	"flag"
 	"net"
 	"net/http"
@@ -222,6 +223,11 @@ func main() {
 			ReadTimeout:    5 * time.Minute,
 			WriteTimeout:   5 * time.Minute,
 			MaxHeaderBytes: 1 << 20,
+			TLSConfig: &tls.Config{
+				// Populate PeerCertificates in requests, but don't reject connections without certificates
+				// This allows certificates to be validated by authenticators, while still allowing other auth types
+				ClientAuth: tls.RequestClientCert,
+			},
 		}
 		glog.Infof("Serving securely on %s", secureLocation)
 		go func() {