Documentation
¶
Index ¶
- func NewFromTokens(tokens map[string]*user.DefaultInfo, audiences authenticator.Audiences) authenticator.Request
- func RecordRequestLatency(ctx context.Context, code string, latency float64)
- func RecordRequestTotal(ctx context.Context, code string)
- type DelegatingAuthenticatorConfig
- type RequestHeaderConfig
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NewFromTokens ¶
func NewFromTokens(tokens map[string]*user.DefaultInfo, audiences authenticator.Audiences) authenticator.Request
NewFromTokens returns an authenticator.Request or an error
func RecordRequestLatency ¶ added in v0.22.0
func RecordRequestLatency(ctx context.Context, code string, latency float64)
RecordRequestLatency measures request latency in seconds for the delegated authentication. Broken down by status code.
func RecordRequestTotal ¶ added in v0.22.0
func RecordRequestTotal(ctx context.Context, code string)
RecordRequestTotal increments the total number of requests for the delegated authentication.
Types ¶
type DelegatingAuthenticatorConfig ¶
type DelegatingAuthenticatorConfig struct {
Anonymous *apiserver.AnonymousAuthConfig
// TokenAccessReviewClient is a client to do token review. It can be nil. Then every token is ignored.
TokenAccessReviewClient authenticationclient.AuthenticationV1Interface
// TokenAccessReviewTimeout specifies a time limit for requests made by the authorization webhook client.
TokenAccessReviewTimeout time.Duration
// WebhookRetryBackoff specifies the backoff parameters for the authentication webhook retry logic.
// This allows us to configure the sleep time at each iteration and the maximum number of retries allowed
// before we fail the webhook call in order to limit the fan out that ensues when the system is degraded.
WebhookRetryBackoff *wait.Backoff
// CacheTTL is the length of time that a token authentication answer will be cached.
CacheTTL time.Duration
// CAContentProvider are the options for verifying incoming connections using mTLS and directly assigning to users.
// Generally this is the CA bundle file used to authenticate client certificates
// If this is nil, then mTLS will not be used.
ClientCertificateCAContentProvider dynamiccertificates.CAContentProvider
APIAudiences authenticator.Audiences
RequestHeaderConfig *RequestHeaderConfig
}
DelegatingAuthenticatorConfig is the minimal configuration needed to create an authenticator built to delegate authentication to a kube API server
type RequestHeaderConfig ¶
type RequestHeaderConfig struct {
// UsernameHeaders are the headers to check (in order, case-insensitively) for an identity. The first header with a value wins.
UsernameHeaders headerrequest.StringSliceProvider
// GroupHeaders are the headers to check (case-insensitively) for a group names. All values will be used.
GroupHeaders headerrequest.StringSliceProvider
// ExtraHeaderPrefixes are the head prefixes to check (case-insentively) for filling in
// the user.Info.Extra. All values of all matching headers will be added.
ExtraHeaderPrefixes headerrequest.StringSliceProvider
// CAContentProvider the options for verifying incoming connections using mTLS. Generally this points to CA bundle file which is used verify the identity of the front proxy.
// It may produce different options at will.
CAContentProvider dynamiccertificates.CAContentProvider
// AllowedClientNames is a list of common names that may be presented by the authenticating front proxy. Empty means: accept any.
AllowedClientNames headerrequest.StringSliceProvider
}
Source Files
Click to show internal directories.
Click to hide internal directories.