@@ -106,6 +106,9 @@ type DelegatingAuthenticationOptions struct {
// RemoteKubeConfigFile is the file to use to connect to a "normal" kube API server which hosts the
// TokenAccessReview.authentication.k8s.io endpoint for checking tokens.
RemoteKubeConfigFilestring
// RemoteKubeConfigFileOptional is specifying whether not specifying the kubeconfig or
// a missing in-cluster config will be fatal.
RemoteKubeConfigFileOptionalbool
// CacheTTL is the length of time that a token authentication answer will be cached.
CacheTTLtime.Duration
...
...
@@ -139,9 +142,13 @@ func (s *DelegatingAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
return
}
varoptionalKubeConfigSentencestring
ifs.RemoteKubeConfigFileOptional{
optionalKubeConfigSentence=" This is optional. If empty, all token requests are considered to be anonymous and no client CA is looked up in the cluster."
glog.Warningf("No authentication-kubeconfig provided in order to lookup client-ca-file in configmap/%s in %s, so client certificate authentication to extension api-server won't work.",authenticationConfigMapName,authenticationConfigMapNamespace)
}
iflen(s.RequestHeader.ClientCAFile)==0{
glog.Warningf("No authentication-kubeconfig provided in order to lookup requestheader-client-ca-file in configmap/%s in %s, so request-header client certificate authentication to extension api-server won't work.",authenticationConfigMapName,authenticationConfigMapNamespace)