github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-29 22:46:12 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #38127 from deads2k/api-50-add-group

Browse Source 
Automatic merge from submit-queue

update local-up-cluster to allow full authentication proxying

Adds group and header information in auth proxy authenticator options for `local-up-cluster.sh`.  Must have been missed in the rebase madness.
This commit is contained in:
Kubernetes Submit Queue 2016-12-07 05:33:23 -08:00 committed by GitHub
commit ffda42fa07
1 changed files with 6 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
hack/local-up-cluster.sh
View File

@ -58,7 +58,6 @@ FEATURE_GATES=${FEATURE_GATES:-"AllAlpha=true"}
# RBAC Mode options
ALLOW_ANY_TOKEN=${ALLOW_ANY_TOKEN:-false}
ENABLE_AUTH_PROXY=${ENABLE_AUTH_PROXY:-false}
ENABLE_RBAC=${ENABLE_RBAC:-false}
KUBECONFIG_TOKEN=${KUBECONFIG_TOKEN:-""}
AUTH_ARGS=${AUTH_ARGS:-""}
@ -412,12 +411,6 @@ function start_apiserver {
anytoken_arg="--insecure-allow-any-token "
KUBECONFIG_TOKEN=${KUBECONFIG_TOKEN:-"system:admin/system:masters"}
fi
auth_proxy_arg=""
if [[ "${ENABLE_AUTH_PROXY}" = true ]]; then
auth_proxy_arg="--requestheader-username-headers=X-Remote-User \
--requestheader-client-ca-file=${CERT_DIR}/auth-proxy-client-ca.crt \
--requestheader-allowed-names=system:auth-proxy "
fi
authorizer_arg=""
if [[ "${ENABLE_RBAC}" = true ]]; then
authorizer_arg="--authorization-mode=RBAC "
@ -462,7 +455,7 @@ EOF
create_client_certkey auth-proxy-client-ca auth-proxy system:auth-proxy
APISERVER_LOG=/tmp/kube-apiserver.log
${CONTROLPLANE_SUDO} "${GO_OUT}/hyperkube" apiserver ${anytoken_arg} ${auth_proxy_arg} ${authorizer_arg} ${priv_arg} ${runtime_config}\
${CONTROLPLANE_SUDO} "${GO_OUT}/hyperkube" apiserver ${anytoken_arg} ${authorizer_arg} ${priv_arg} ${runtime_config}\
${advertise_address} \
--v=${LOG_LEVEL} \
--cert-dir="${CERT_DIR}" \
@ -480,6 +473,11 @@ EOF
--feature-gates="${FEATURE_GATES}" \
--cloud-provider="${CLOUD_PROVIDER}" \
--cloud-config="${CLOUD_CONFIG}" \
--requestheader-username-headers=X-Remote-User \
--requestheader-group-headers=X-Remote-Group \
--requestheader-extra-headers-prefix=X-Remote-Extra- \
--requestheader-client-ca-file=${CERT_DIR}/auth-proxy-client-ca.crt \
--requestheader-allowed-names=system:auth-proxy \
--cors-allowed-origins="${API_CORS_ALLOWED_ORIGINS}" >"${APISERVER_LOG}" 2>&1 &
APISERVER_PID=$!