Tweak authentication advice about command line arguments #53397
Conversation
k8s-ci-robot
added
language/en
👷 Deploy Preview for kubernetes-io-vnext-staging processing.
|
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
size/L
✅ Pull request preview available for checkingBuilt without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify project configuration. |
| {{< note >}} | ||
| Prior to Kubernetes 1.11.3 (and 1.10.7, 1.9.11), the `extra` key could only contain characters that | ||
| were [legal in HTTP header labels](https://tools.ietf.org/html/rfc7230#section-3.2.6). | ||
| {{< /note >}} |
There was a problem hiding this comment.
I propose to remove this because none of those older versions have been supported for some time.
Those old releases are definitely out of support.
lmktfy
force-pushed
the
20251123_explain_authn_configuration
branch
from
ee512b1 to
483c821
Compare
|
/assign @aramase |
|
Hello @kubernetes/sig-auth-pr-reviews, we would appreciate your review of these proposed changes ahead of the v1.35 release next week. Please add LGTM if everything looks good. Thank you! |
| #### Bootstrap token configuration {#api-server-authn-config-cli-bootstrap} | ||
|
|
||
| `--enable-bootstrap-token-auth` | ||
| : When this flag is set, you can use [bootstrap tokens](#bootstrap-tokens) to authenticate. |
There was a problem hiding this comment.
Do we want to indicate the default values for these flags? This one defaults to false.
|
|
||
| #### Anonymous authentication configuration {#api-server-authn-config-cli-anonymous} | ||
|
|
||
| `--anonymous-auth` |
There was a problem hiding this comment.
Do we want to indicate the default values for these flags? This one defaults to true.
| #### Certificate authentication configuration {#api-server-authn-config-cli-x-509} | ||
|
|
||
| `--client-ca-file` | ||
| : The path to the trust anchor for validating client identity, when clients use X.509 certificate authentication. |
There was a problem hiding this comment.
| : The path to the trust anchor for validating client identity, when clients use X.509 certificate authentication. | |
| : The path to the trust anchor(s) for validating client identity, when clients use X.509 certificate authentication. |
Also, we could note that the contents of this file can be changed while the apiserver is running and is re-read. Modifications to this file should be done in an atomic way (writing to a peer temporary file, then renaming the temporary file to replace this file, etc).
| #### OIDC configuration {#api-server-authn-config-cli-oidc} | ||
|
|
||
| `--oidc-ca-file` | ||
| : The path to the trust anchor for validating client identity, when clients use OIDC. |
There was a problem hiding this comment.
| : The path to the trust anchor for validating client identity, when clients use OIDC. | |
| : The path to the trust anchor(s) for validating client identity, when clients use OIDC. |
This file is not re-read if modified while the apiserver is running.
| : Defines the authentication audience for service account tokens. | ||
|
|
||
| `--service-account-extend-token-expiration` | ||
| : This flag turns on projected service account expiration extension during token generation, which helps safe transition from legacy tokens to bound service account token feature. See [authenticating service account credentials](/docs/concepts/security/service-accounts/#authenticating-credentials). |
| : Path to socket where an external JWT signer is listening. You can use this to integrate with an external token signer. | ||
|
|
||
| `--service-account-signing-key-file` | ||
| : Path to the file that contains the current private key of the service account token issuer. |
There was a problem hiding this comment.
Changes to this file while the API server is running are not re-read.
| #### Static token configuration {#api-server-authn-config-cli-bearer} | ||
|
|
||
| `--token-auth-file` | ||
| : Path to the configuration file for [static bearer tokens](#static-token-file). |
There was a problem hiding this comment.
Changes to this file while the API server is running are not re-read.
| : How long (as a Kubernetes duration specification) the API server should cache the outcome of HTTP callouts to validate tokens. | ||
|
|
||
| `--authentication-token-webhook-config-file` | ||
| : The path to a kubeconfig format client configuration, that specifies how the API server authenticates when making HTTP callouts. |
There was a problem hiding this comment.
Changes to this file while the API server is running are not re-read.
|
|
||
| `--requestheader-client-ca-file` | ||
| : _Required._ | ||
| Path to a PEM-encoded certificate bundle. |
There was a problem hiding this comment.
| Path to a PEM-encoded certificate bundle. | |
| Path to a PEM-encoded certificate bundle containing trust anchor(s) for validating authenticating proxy identity. |
| #### Configuration file path {#api-server-authn-config-cli-general} | ||
|
|
||
| `--authentication-config` | ||
| : This special command line argument specifies that you want to [configure authentication using a configuration file](#api-server-authn-config-file). |
There was a problem hiding this comment.
The contents of this file can be changed while the apiserver is running and is re-read. Modifications to this file should be done in an atomic way (writing to a peer temporary file, then renaming the temporary file to replace this file, etc).
|
Feedback noted, but I don't plan to do any fixups this year, 2025, to the authn pages work stream from
(bear in mind that every push back on a PR is a message of discouragement…) |
6 participants
PR #52907 added a page about user impersonation that will go live when v1.35 is released.
Build on that to:
Based on PR #50364 but not directly derived from it.
/language en
/sig auth