# 配置如何訪問 webhook server
--authentication-token-webhook-config-file
# 默認 2 分鐘
--authentication-token-webhook-cache-ttl
配置文件格式爲
# clusters refers to the remote service.
clusters:
- name: name-of-remote-authn-service
cluster:
# CA for verifying the remote service.
certificate-authority: /path/to/ca.pem
# URL of remote service to query. Must use 'https'.
server: https://authn.example.com/authenticate
# users refers to the API server's webhook configuration.
users:
- name: name-of-api-server
user:
# cert for the webhook plugin to use
client-certificate: /path/to/cert.pem
# key matching the cert
client-key: /path/to/key.pem
# kubeconfig files require a context. Provide one for the API server.
current-context: webhook
contexts:
- context:
cluster: name-of-remote-authn-service
user: name-of-api-sever
name: webhook
匿名請求的用戶名格式爲 system:anonymous,而 group 則爲 system:unauthenticated。
Credential Plugin
Credential Plugin 可以在 kubectl 的配置文件中設置,比如
apiVersion: v1
kind: Config
users:
- name: my-user
user:
exec:
# Command to execute. Required.
command: "example-client-go-exec-plugin"
# API version to use when decoding the ExecCredentials resource. Required.
#
# The API version returned by the plugin MUST match the version listed here.
#
# To integrate with tools that support multiple versions (such as client.authentication.k8s.io/v1alpha1),
# set an environment variable or pass an argument to the tool that indicates which version the exec plugin expects.
apiVersion: "client.authentication.k8s.io/v1beta1"
# Environment variables to set when executing the plugin. Optional.
env:
- name: "FOO"
value: "bar"
# Arguments to pass when executing the plugin. Optional.
args:
- "arg1"
- "arg2"
clusters:
- name: my-cluster
cluster:
server: "https://172.17.4.100:6443"
certificate-authority: "/etc/kubernetes/ca.pem"
contexts:
- name: my-cluster
context:
cluster: my-cluster
user: my-user
current-context: my-cluster