--insecure-port
flag.--insecure-bind-address
flag.Secure Port:
--tls-cert-file
and key with --tls-private-key-file
flag.--secure-port
flag.--bind-address
flag.All Kubernetes clusters have two categories of users: service accounts managed by Kubernetes, and normal users.
--client-ca-file=/srv/kubernetes/ca.crt
--tls-cert-file=/srv/kubernetes/server.crt
--tls-private-key-file=/srv/kubernetes/server.key
use openssl to manually generate certificates for your cluster.
--token-auth-file=SOMEFILE
option on the command line.
token,user,uid,"group1,group2,group3"
Authorization: Bearer 31ada4fd-adec-460c-809a-9e56ceb75269
--experimental-bootstrap-token-auth
flag on the API Server.--controllers=*,tokencleaner
flag on the Controller Manager.--basic-auth-file=SOMEFILE
option to API server.password,user,uid,"group1,group2,group3"
Basic BASE64ENCODED(USER:PASSWORD)
.--service-account-key-file
A file containing a PEM encoded key for signing bearer tokens. If unspecified, the API server’s TLS private key will be used.
--service-account-lookup
If enabled, tokens which are deleted from the API will be revoked.
system:serviceaccount:(NAMESPACE):(SERVICEACCOUNT)
, and are assigned to the groups system:serviceaccounts
and system:serviceaccounts:(NAMESPACE)
.
--oidc-issuer-url
--oidc-client-id
--oidc-username-claim
--oidc-groups-claim
--oidc-ca-file
--authorization-mode=ABAC --authorization-policy-file=SOME_FILENAME
--authorization-mode=RBAC
--authorization-mode=Webhook --authorization-webhook-config-file=SOME_FILENAME
--authorization-mode=AlwaysDeny
--authorization-mode=AlwaysAllow
--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds