Filed https://github.com/kubernetes/kubernetes/issues/49050 to track this.
On Mon, Jul 17, 2017 at 2:39 PM, Daniel Smith <dbsm...@google.com> wrote: > I think you need to pass the proxy cert & request header auth flags. > > --proxy-client-cert-file string Client > certificate used to prove the identity of the aggregator or kube-apiserver > when it must call out during a request. This includes proxying requests to > a user api-server and calling out to webhook admission plugins. It is > expected that this cert includes a signature from the CA in the > --requestheader-client-ca-file flag. That CA is published in the > 'extension-apiserver-authentication' configmap in the kube-system > namespace. Components recieving calls from kube-aggregator should use that > CA to perform their half of the mutual TLS verification. > --proxy-client-key-file string Private > key for the client certificate used to prove the identity of the aggregator > or kube-apiserver when it must call out during a request. This includes > proxying requests to a user api-server and calling out to webhook admission > plugins. > > > --requestheader-allowed-names stringSlice List of > client certificate common names to allow to provide usernames in headers > specified by --requestheader-username-headers. If empty, any client > certificate validated by the authorities in --requestheader-client-ca-file > is allowed. > --requestheader-client-ca-file string Root > certificate bundle to use to verify client certificates on incoming > requests before trusting usernames in headers specified by > --requestheader-username-headers > --requestheader-extra-headers-prefix stringSlice List of > request header prefixes to inspect. X-Remote-Extra- is suggested. > --requestheader-group-headers stringSlice List of > request headers to inspect for groups. X-Remote-Group is suggested. > --requestheader-username-headers stringSlice List of > request headers to inspect for usernames. X-Remote-User is common. > > > https://kubernetes.io/docs/admin/kube-apiserver/ > > > On Mon, Jul 17, 2017 at 2:16 PM, Xin Guo <guoxin73...@gmail.com> wrote: > >> When I add GenericAdmissionWebhook to the end of the flag >> --admission-control, the whole API server won't work. The response of >> "kubectl get nodes" is " Unable to connect to the server: EOF". However, if >> I just remove GenericAdmissionWebhook from the flag --admission-control, >> everything works fine. Can somebody help me with it? Do I need to make >> other changes in api-server.yaml to enable this feature? Thanks! >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Kubernetes user discussion and Q&A" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to kubernetes-users+unsubscr...@googlegroups.com. >> To post to this group, send email to kubernetes-users@googlegroups.com. >> Visit this group at https://groups.google.com/group/kubernetes-users. >> For more options, visit https://groups.google.com/d/optout. >> > > -- You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group. To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscr...@googlegroups.com. To post to this group, send email to kubernetes-users@googlegroups.com. Visit this group at https://groups.google.com/group/kubernetes-users. For more options, visit https://groups.google.com/d/optout.