stek29 · May 22, 2022 00:19
diff --git a/kube-apiserver-args.yaml b/kube-apiserver-args.yaml
 - command:
  - kube-apiserver
  - --bind-address=127.0.1.1
  - --requestheader-allowed-names=front-proxy-client
  - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
  - --requestheader-extra-headers-prefix=X-Remote-Extra-
  - --requestheader-group-headers=X-Remote-Group
  - --requestheader-username-headers=X-Remote-User
  - --secure-port=6443
  - ... more args ...
diff --git a/kube-apiserver.nginx b/kube-apiserver.nginx
 upstream kubeapi {
 	server 127.0.1.1:6443;
 }

 map $ssl_client_s_dn $ssl_client_s_dn_cn {
    default "";
    ~CN=(?<CN>[^/,\"]+) $CN;
 }

 map $ssl_client_s_dn $ssl_client_s_dn_o {
    default "";
    ~O=(?<O>[^/,\"]+) $O;
 }

 server {
 	listen 127.0.0.1:6443 ssl default_server;
 	listen 192.168.5.15:6443 ssl default_server;

 	ssl_certificate /etc/kubernetes/pki/apiserver.crt;
 	ssl_certificate_key /etc/kubernetes/pki/apiserver.key;

 	ssl_client_certificate /etc/kubernetes/pki/ca.crt;
 	ssl_protocols TLSv1.2 TLSv1.3;

 	ssl_verify_client optional;

 	location / {
 		proxy_set_header 'X-Remote-User' $ssl_client_s_dn_cn;
 		proxy_set_header 'X-Remote-Group' $ssl_client_s_dn_o;
 		proxy_ssl_certificate /etc/kubernetes/pki/front-proxy-client.crt;
 		proxy_ssl_certificate_key /etc/kubernetes/pki/front-proxy-client.key;
 		proxy_ssl_trusted_certificate /etc/kubernetes/pki/ca.crt;
 		proxy_pass https://kubeapi;
 	}
 }
	- command:
	- kube-apiserver
	- --bind-address=127.0.1.1
	- --requestheader-allowed-names=front-proxy-client
	- --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
	- --requestheader-extra-headers-prefix=X-Remote-Extra-
	- --requestheader-group-headers=X-Remote-Group
	- --requestheader-username-headers=X-Remote-User
	- --secure-port=6443
	- ... more args ...
	upstream kubeapi {
	server 127.0.1.1:6443;
	}

	map $ssl_client_s_dn $ssl_client_s_dn_cn {
	default "";
	~CN=(?<CN>[^/,\"]+) $CN;
	}

	map $ssl_client_s_dn $ssl_client_s_dn_o {
	default "";
	~O=(?<O>[^/,\"]+) $O;
	}

	server {
	listen 127.0.0.1:6443 ssl default_server;
	listen 192.168.5.15:6443 ssl default_server;

	ssl_certificate /etc/kubernetes/pki/apiserver.crt;
	ssl_certificate_key /etc/kubernetes/pki/apiserver.key;

	ssl_client_certificate /etc/kubernetes/pki/ca.crt;
	ssl_protocols TLSv1.2 TLSv1.3;

	ssl_verify_client optional;

	location / {
	proxy_set_header 'X-Remote-User' $ssl_client_s_dn_cn;
	proxy_set_header 'X-Remote-Group' $ssl_client_s_dn_o;
	proxy_ssl_certificate /etc/kubernetes/pki/front-proxy-client.crt;
	proxy_ssl_certificate_key /etc/kubernetes/pki/front-proxy-client.key;
	proxy_ssl_trusted_certificate /etc/kubernetes/pki/ca.crt;
	proxy_pass https://kubeapi;
	}
	}