Skip to content

Commit

Permalink
fix(impersonation): Fallback to using in-cluster config when Imperson…
Browse files Browse the repository at this point in the history 
…ate* headers in request
  • Loading branch information
@mecampbellsoup
mecampbellsoup committed Dec 4, 2023
1 parent fe81d96 commit f6833e8
Show file tree
Hide file tree
Showing 6 changed files with 57 additions and 50 deletions.
50 changes: 25 additions & 25 deletions docs/common/arguments.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,31 +4,31 @@ Dashboard containers accept multiple arguments that can be used to customize the

## Dashboard API arguments

| Argument name | Default value | Description |
|-----------------------------|---------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| insecure-port | 9000 | The port to listen to for incoming HTTP requests. |
| port | 9001 | The secure port to listen to for incoming HTTPS requests. |
| insecure-bind-address | 127.0.0.1 | The IP address on which to serve the `--insecure-port` (set to 127.0.0.1 for loopback only). |
| bind-address | 0.0.0.0 | The IP address on which to serve the `--port` (set to 0.0.0.0 for all interfaces). |
| default-cert-dir | /certs | Directory path containing `--tls-cert-file` and `--tls-key-file` files. Used also when auto-generating certificates flag is set. Relative to the container, not the host. |
| tls-cert-file | - | File containing the default x509 Certificate for HTTPS. |
| tls-key-file | - | File containing the default x509 private key matching --tls-cert-file. |
| auto-generate-certificates | false | When set to true, Dashboard will automatically generate certificates used to serve HTTPS. |
| apiserver-host | - | The address of the Kubernetes Apiserver to connect to in the format of protocol://address:port, e.g., http://localhost:8080. If not specified, the assumption is that the binary runs inside a Kubernetes cluster and local discovery is attempted. |
| namespace-header | - | The name of the request header that contains authorized namespaces. Used in multi-tenant clusters with [namespace-per-tenant isolation](https://kubernetes.io/docs/concepts/security/multi-tenancy/#namespace-per-tenant) that lack cluster-scoped RBAC to list namespaces in the cluster. |
| namespace-pattern | - | A regular expression applied to the header data contained by `--namespace-header`. Used to extract the authorized namespace(s) from the header data. If not specified, the `--namespace-header` data is expected to contain a list of namespace names. |
| api-log-level | INFO | Level of API request logging. Should be one of `INFO\|NONE\|DEBUG`. |
| heapster-host | - | The address of the Heapster Apiserver to connect to in the format of protocol://address:port, e.g., http://localhost:8082. If not specified, the assumption is that the binary runs inside a Kubernetes cluster and service proxy will be used. |
| sidecar-host | - | The address of the Sidecar Apiserver to connect to in the format of protocol://address:port, e.g., http://localhost:8000. If not specified, the assumption is that the binary runs inside a Kubernetes cluster and service proxy will be used. |
| metrics-provider | sidecar | Select provider type for metrics. 'none' will not check metrics. |
| metric-client-check-period | 30 | Time in seconds that defines how often configured metric client health check should be run. |
| kubeconfig | - | Path to kubeconfig file with authorization and control plane location information. |
| namespace | kube-system | When non-default namespace is used, create encryption key in the specified namespace. |
| token-ttl | 900 | Expiration time (in seconds) of JWE tokens generated by dashboard. '0' never expires. |
| authentication-mode | token | Enables authentication options that will be reflected on the login screen in the same order as provided. Multiple options can be used at once. Supported values: token, basic. Note that basic option should only be used if apiserver has '--authorization-mode=ABAC' and '--basic-auth-file' flags set. |
| enable-insecure-login | false | When enabled, Dashboard login view will also be shown when Dashboard is not served over HTTPS. |
| enable-skip-login | false | When enabled, the skip button on the login page will be shown. |
| disable-settings-authorizer | false | When enabled, Dashboard settings page will not require user to be logged in and authorized to access settings page. |
| Argument name | Default value | Description |
|--------------------------------------|---------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| insecure-port | 9000 | The port to listen to for incoming HTTP requests. |
| port | 9001 | The secure port to listen to for incoming HTTPS requests. |
| insecure-bind-address | 127.0.0.1 | The IP address on which to serve the `--insecure-port` (set to 127.0.0.1 for loopback only). |
| bind-address | 0.0.0.0 | The IP address on which to serve the `--port` (set to 0.0.0.0 for all interfaces). |
| default-cert-dir | /certs | Directory path containing `--tls-cert-file` and `--tls-key-file` files. Used also when auto-generating certificates flag is set. Relative to the container, not the host. |
| tls-cert-file | - | File containing the default x509 Certificate for HTTPS. |
| tls-key-file | - | File containing the default x509 private key matching --tls-cert-file. |
| auto-generate-certificates | false | When set to true, Dashboard will automatically generate certificates used to serve HTTPS. |
| apiserver-host | - | The address of the Kubernetes Apiserver to connect to in the format of protocol://address:port, e.g., http://localhost:8080. If not specified, the assumption is that the binary runs inside a Kubernetes cluster and local discovery is attempted. |
| namespace-header | - | The name of the request header that contains authorized namespaces. Used in multi-tenant clusters with [namespace-per-tenant isolation](https://kubernetes.io/docs/concepts/security/multi-tenancy/#namespace-per-tenant) that lack cluster-scoped RBAC to list namespaces in the cluster. |
| namespace-pattern | - | A regular expression applied to the header data contained by `--namespace-header`. Used to extract the authorized namespace(s) from the header data. If not specified, the `--namespace-header` data is expected to contain a list of namespace names. |
| api-log-level | INFO | Level of API request logging. Should be one of `INFO\|NONE\|DEBUG`. |
| heapster-host | - | The address of the Heapster Apiserver to connect to in the format of protocol://address:port, e.g., http://localhost:8082. If not specified, the assumption is that the binary runs inside a Kubernetes cluster and service proxy will be used. |
| sidecar-host | - | The address of the Sidecar Apiserver to connect to in the format of protocol://address:port, e.g., http://localhost:8000. If not specified, the assumption is that the binary runs inside a Kubernetes cluster and service proxy will be used. |
| metrics-provider | sidecar | Select provider type for metrics. 'none' will not check metrics. |
| metric-client-check-period | 30 | Time in seconds that defines how often configured metric client health check should be run. |
| kubeconfig | - | Path to kubeconfig file with authorization and control plane location information. |
| namespace | kube-system | When non-default namespace is used, create encryption key in the specified namespace. |
| token-ttl | 900 | Expiration time (in seconds) of JWE tokens generated by dashboard. '0' never expires. |
| authentication-mode | token | Enables authentication options that will be reflected on the login screen in the same order as provided. Multiple options can be used at once. Supported values: token, basic. Note that basic option should only be used if apiserver has '--authorization-mode=ABAC' and '--basic-auth-file' flags set. |
| enable-insecure-login | false | When enabled, Dashboard login view will also be shown when Dashboard is not served over HTTPS. |
| enable-skip-login | false | When enabled, the skip button on the login page will be shown. |
| disable-settings-authorizer | false | When enabled, Dashboard settings page will not require user to be logged in and authorized to access settings page. |

# Dashboard Web arguments

Expand Down

0 comments on commit f6833e8

Please sign in to comment.