Documentation ¶
Index ¶
- func NewFromTokens(tokens map[string]*user.DefaultInfo, audiences authenticator.Audiences) authenticator.Request
- func RecordRequestLatency(ctx context.Context, code string, latency float64)
- func RecordRequestTotal(ctx context.Context, code string)
- type DelegatingAuthenticatorConfig
- type RequestHeaderConfig
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NewFromTokens ¶
func NewFromTokens(tokens map[string]*user.DefaultInfo, audiences authenticator.Audiences) authenticator.Request
NewFromTokens returns an authenticator.Request or an error
func RecordRequestLatency ¶ added in v0.22.0
RecordRequestLatency measures request latency in seconds for the delegated authentication. Broken down by status code.
func RecordRequestTotal ¶ added in v0.22.0
RecordRequestTotal increments the total number of requests for the delegated authentication.
Types ¶
type DelegatingAuthenticatorConfig ¶
type DelegatingAuthenticatorConfig struct { Anonymous *apiserver.AnonymousAuthConfig // TokenAccessReviewClient is a client to do token review. It can be nil. Then every token is ignored. TokenAccessReviewClient authenticationclient.AuthenticationV1Interface // TokenAccessReviewTimeout specifies a time limit for requests made by the authorization webhook client. TokenAccessReviewTimeout time.Duration // WebhookRetryBackoff specifies the backoff parameters for the authentication webhook retry logic. // This allows us to configure the sleep time at each iteration and the maximum number of retries allowed // before we fail the webhook call in order to limit the fan out that ensues when the system is degraded. WebhookRetryBackoff *wait.Backoff // CacheTTL is the length of time that a token authentication answer will be cached. CacheTTL time.Duration // CAContentProvider are the options for verifying incoming connections using mTLS and directly assigning to users. // Generally this is the CA bundle file used to authenticate client certificates // If this is nil, then mTLS will not be used. ClientCertificateCAContentProvider dynamiccertificates.CAContentProvider APIAudiences authenticator.Audiences RequestHeaderConfig *RequestHeaderConfig }
DelegatingAuthenticatorConfig is the minimal configuration needed to create an authenticator built to delegate authentication to a kube API server
func (DelegatingAuthenticatorConfig) New ¶
func (c DelegatingAuthenticatorConfig) New() (authenticator.Request, *spec.SecurityDefinitions, error)
type RequestHeaderConfig ¶
type RequestHeaderConfig struct { // UsernameHeaders are the headers to check (in order, case-insensitively) for an identity. The first header with a value wins. UsernameHeaders headerrequest.StringSliceProvider // UsernameHeaders are the headers to check (in order, case-insensitively) for an identity UID. The first header with a value wins. UIDHeaders headerrequest.StringSliceProvider // GroupHeaders are the headers to check (case-insensitively) for a group names. All values will be used. GroupHeaders headerrequest.StringSliceProvider // ExtraHeaderPrefixes are the head prefixes to check (case-insentively) for filling in // the user.Info.Extra. All values of all matching headers will be added. ExtraHeaderPrefixes headerrequest.StringSliceProvider // CAContentProvider the options for verifying incoming connections using mTLS. Generally this points to CA bundle file which is used verify the identity of the front proxy. // It may produce different options at will. CAContentProvider dynamiccertificates.CAContentProvider // AllowedClientNames is a list of common names that may be presented by the authenticating front proxy. Empty means: accept any. AllowedClientNames headerrequest.StringSliceProvider }
Click to show internal directories.
Click to hide internal directories.