github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #38127 from deads2k/api-50-add-group

Browse Source 
Automatic merge from submit-queue

update local-up-cluster to allow full authentication proxying

Adds group and header information in auth proxy authenticator options for `local-up-cluster.sh`.  Must have been missed in the rebase madness.
This commit is contained in:
Kubernetes Submit Queue
2016-12-07 05:33:23 -08:00
committed by GitHub
parent 2b1ab2f0d4 fdb0b2bca2
commit ffda42fa07
1 changed files with 6 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
hack/local-up-cluster.sh
View File

@@ -58,7 +58,6 @@ FEATURE_GATES=${FEATURE_GATES:-"AllAlpha=true"}
# RBAC Mode options # RBAC Mode options
ALLOW_ANY_TOKEN=${ALLOW_ANY_TOKEN:-false} ALLOW_ANY_TOKEN=${ALLOW_ANY_TOKEN:-false}
ENABLE_AUTH_PROXY=${ENABLE_AUTH_PROXY:-false}
ENABLE_RBAC=${ENABLE_RBAC:-false} ENABLE_RBAC=${ENABLE_RBAC:-false}
KUBECONFIG_TOKEN=${KUBECONFIG_TOKEN:-""} KUBECONFIG_TOKEN=${KUBECONFIG_TOKEN:-""}
AUTH_ARGS=${AUTH_ARGS:-""} AUTH_ARGS=${AUTH_ARGS:-""}
@@ -412,12 +411,6 @@ function start_apiserver {
anytoken_arg="--insecure-allow-any-token " anytoken_arg="--insecure-allow-any-token "
KUBECONFIG_TOKEN=${KUBECONFIG_TOKEN:-"system:admin/system:masters"} KUBECONFIG_TOKEN=${KUBECONFIG_TOKEN:-"system:admin/system:masters"}
fi fi
auth_proxy_arg=""
if [[ "${ENABLE_AUTH_PROXY}" = true ]]; then
auth_proxy_arg="--requestheader-username-headers=X-Remote-User \
--requestheader-client-ca-file=${CERT_DIR}/auth-proxy-client-ca.crt \
--requestheader-allowed-names=system:auth-proxy "
fi
authorizer_arg="" authorizer_arg=""
if [[ "${ENABLE_RBAC}" = true ]]; then if [[ "${ENABLE_RBAC}" = true ]]; then
authorizer_arg="--authorization-mode=RBAC " authorizer_arg="--authorization-mode=RBAC "
@@ -462,7 +455,7 @@ EOF
create_client_certkey auth-proxy-client-ca auth-proxy system:auth-proxy create_client_certkey auth-proxy-client-ca auth-proxy system:auth-proxy
APISERVER_LOG=/tmp/kube-apiserver.log APISERVER_LOG=/tmp/kube-apiserver.log
${CONTROLPLANE_SUDO} "${GO_OUT}/hyperkube" apiserver ${anytoken_arg} ${auth_proxy_arg} ${authorizer_arg} ${priv_arg} ${runtime_config}\ ${CONTROLPLANE_SUDO} "${GO_OUT}/hyperkube" apiserver ${anytoken_arg} ${authorizer_arg} ${priv_arg} ${runtime_config}\
${advertise_address} \ ${advertise_address} \
--v=${LOG_LEVEL} \ --v=${LOG_LEVEL} \
--cert-dir="${CERT_DIR}" \ --cert-dir="${CERT_DIR}" \
@@ -480,6 +473,11 @@ EOF
--feature-gates="${FEATURE_GATES}" \ --feature-gates="${FEATURE_GATES}" \
--cloud-provider="${CLOUD_PROVIDER}" \ --cloud-provider="${CLOUD_PROVIDER}" \
--cloud-config="${CLOUD_CONFIG}" \ --cloud-config="${CLOUD_CONFIG}" \
--requestheader-username-headers=X-Remote-User \
--requestheader-group-headers=X-Remote-Group \
--requestheader-extra-headers-prefix=X-Remote-Extra- \
--requestheader-client-ca-file=${CERT_DIR}/auth-proxy-client-ca.crt \
--requestheader-allowed-names=system:auth-proxy \
--cors-allowed-origins="${API_CORS_ALLOWED_ORIGINS}" >"${APISERVER_LOG}" 2>&1 & --cors-allowed-origins="${API_CORS_ALLOWED_ORIGINS}" >"${APISERVER_LOG}" 2>&1 &
APISERVER_PID=$! APISERVER_PID=$!