Filed https://github.com/kubernetes/kubernetes/issues/49050 to track this.

On Mon, Jul 17, 2017 at 2:39 PM, Daniel Smith <dbsm...@google.com> wrote:

> I think you need to pass the proxy cert & request header auth flags.
>
>       --proxy-client-cert-file string                           Client
> certificate used to prove the identity of the aggregator or kube-apiserver
> when it must call out during a request. This includes proxying requests to
> a user api-server and calling out to webhook admission plugins. It is
> expected that this cert includes a signature from the CA in the
> --requestheader-client-ca-file flag. That CA is published in the
> 'extension-apiserver-authentication' configmap in the kube-system
> namespace. Components recieving calls from kube-aggregator should use that
> CA to perform their half of the mutual TLS verification.
>       --proxy-client-key-file string                            Private
> key for the client certificate used to prove the identity of the aggregator
> or kube-apiserver when it must call out during a request. This includes
> proxying requests to a user api-server and calling out to webhook admission
> plugins.
>
>
>       --requestheader-allowed-names stringSlice                 List of
> client certificate common names to allow to provide usernames in headers
> specified by --requestheader-username-headers. If empty, any client
> certificate validated by the authorities in --requestheader-client-ca-file
> is allowed.
>       --requestheader-client-ca-file string                     Root
> certificate bundle to use to verify client certificates on incoming
> requests before trusting usernames in headers specified by
> --requestheader-username-headers
>       --requestheader-extra-headers-prefix stringSlice          List of
> request header prefixes to inspect. X-Remote-Extra- is suggested.
>       --requestheader-group-headers stringSlice                 List of
> request headers to inspect for groups. X-Remote-Group is suggested.
>       --requestheader-username-headers stringSlice              List of
> request headers to inspect for usernames. X-Remote-User is common.
>
>
> https://kubernetes.io/docs/admin/kube-apiserver/
>
>
> On Mon, Jul 17, 2017 at 2:16 PM, Xin Guo <guoxin73...@gmail.com> wrote:
>
>> When I add GenericAdmissionWebhook to the end of the flag
>> --admission-control, the whole API server won't work. The response of
>> "kubectl get nodes" is " Unable to connect to the server: EOF". However, if
>> I just remove GenericAdmissionWebhook from the flag --admission-control,
>> everything works fine. Can somebody help me with it? Do I need to make
>> other changes in api-server.yaml to enable this feature? Thanks!
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Kubernetes user discussion and Q&A" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to kubernetes-users+unsubscr...@googlegroups.com.
>> To post to this group, send email to kubernetes-users@googlegroups.com.
>> Visit this group at https://groups.google.com/group/kubernetes-users.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Kubernetes user discussion and Q&A" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to kubernetes-users+unsubscr...@googlegroups.com.
To post to this group, send email to kubernetes-users@googlegroups.com.
Visit this group at https://groups.google.com/group/kubernetes-users.
For more options, visit https://groups.google.com/d/optout.
  • [kubernetes-user... Xin Guo
    • Re: [kubern... 'Daniel Smith' via Kubernetes user discussion and Q&A
      • Re: [ku... 'Daniel Smith' via Kubernetes user discussion and Q&A
        • Re:... Xin Guo
          • ... 'Daniel Smith' via Kubernetes user discussion and Q&A

Reply via email to