Document client skew protections

[fabianofranz]

Starting in openshift/origin#7888, admins can configure the server to prevent skewed oc clients from accessing the REST API. This has to be documented.

@deads2k should provide the info about this new feature.

[deads2k]

@adellape Is there a section where we publish all the generated doc for our types? This is sort of an unusual thing to do, so I don't think it warrants a top-level doc.

The types are documented and with the new types you can do things like:

deny clients using particular libraries or particular binaries. In this case, the kube 1.2 client binary and origin 1.1.3 binary. You could do similar things for OSE clients.

  userAgentMatchingConfig:
    defaultRejectionMessage: "Your client is too old.  Go to https://example.org to update it."
    deniedClients: 
    - regex: '\w+/v(?:(?:1\.1\.1)|(?:1\.0\.1)) \(.+/.+\) openshift/\w{7}'
    - regex: '\w+/v(?:1\.1\.3) \(.+/.+\) openshift/\w{7}'
    - regex: '\w+/v1\.2\.0 \(.+/.+\) kubernetes/\w{7}'
    requiredClients: null

deny clients that don't match your expect clients exactly.

  userAgentMatchingConfig:
    defaultRejectionMessage: "Your client is too old.  Go to https://example.org to update it."
    deniedClients: []
    requiredClients: 
    - regex: '\w+/v1\.1\.3 \(.+/.+\) openshift/\w{7}'
    - regex: '\w+/v1\.2\.0 \(.+/.+\) kubernetes/\w{7}'