Skip to content

Instantly share code, notes, and snippets.

@stek29

stek29/kube-apiserver-args.yaml

Created May 22, 2022 00:19
Show Gist options
  • Save stek29/165ebb4fef5d7ef192084d87ec28a752 to your computer and use it in GitHub Desktop.
Save stek29/165ebb4fef5d7ef192084d87ec28a752 to your computer and use it in GitHub Desktop.
Download ZIP
kube apiserver nginx http balancing poc
Raw
kube-apiserver-args.yaml
- command:
- kube-apiserver
- --bind-address=127.0.1.1
- --requestheader-allowed-names=front-proxy-client
- --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
- --requestheader-extra-headers-prefix=X-Remote-Extra-
- --requestheader-group-headers=X-Remote-Group
- --requestheader-username-headers=X-Remote-User
- --secure-port=6443
- ... more args ...
Raw
kube-apiserver.nginx
upstream kubeapi {
server 127.0.1.1:6443;
}
map $ssl_client_s_dn $ssl_client_s_dn_cn {
default "";
~CN=(?<CN>[^/,\"]+) $CN;
}
map $ssl_client_s_dn $ssl_client_s_dn_o {
default "";
~O=(?<O>[^/,\"]+) $O;
}
server {
listen 127.0.0.1:6443 ssl default_server;
listen 192.168.5.15:6443 ssl default_server;
ssl_certificate /etc/kubernetes/pki/apiserver.crt;
ssl_certificate_key /etc/kubernetes/pki/apiserver.key;
ssl_client_certificate /etc/kubernetes/pki/ca.crt;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_verify_client optional;
location / {
proxy_set_header 'X-Remote-User' $ssl_client_s_dn_cn;
proxy_set_header 'X-Remote-Group' $ssl_client_s_dn_o;
proxy_ssl_certificate /etc/kubernetes/pki/front-proxy-client.crt;
proxy_ssl_certificate_key /etc/kubernetes/pki/front-proxy-client.key;
proxy_ssl_trusted_certificate /etc/kubernetes/pki/ca.crt;
proxy_pass https://kubeapi;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment