0

我正在使用命令安装以下掌舵图https://github.com/helm/charts/tree/master/stable/oauth2-proxy

helm install --name authproxy \
    --namespace=ingress \
    --set config.clientID=<github oauth app client id> \
    --set config.clientSecret=<github oauth app client secret> \
    --set config.cookieSecret=<some secret>  \
    --set extraArgs.provider=github \
    --set authenticatedEmailsFile.enabled=true \
    --set authenticatedEmailsFile.restricted_access="abc@gmail.com" \
    stable/oauth2-proxy

所有 k8 资源都已正确创建,并且 oauth2_proxy 正在保护我在此代理后面运行的服务。但它允许所有 github 用户(因为 oauth 提供者是 github)而不是只允许访问 abc@gmail.com。为什么会这样?

头盔版

Client: &version.Version{SemVer:"v2.12.1", GitCommit:"02a47c7249b1fc6d8fd3b94e6b4babf9d818144e", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.12.1", GitCommit:"02a47c7249b1fc6d8fd3b94e6b4babf9d818144e", GitTreeState:"clean"}

Kubectl 版本

Client Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.11", GitCommit:"637c7e288581ee40ab4ca210618a89a555b6e7e9", GitTreeState:"clean", BuildDate:"2018-11-26T14:38:32Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"windows/amd64"}
Server Version: version.Info{Major:"1", Minor:"12", GitVersion:"v1.12.8", GitCommit:"a89f8c11a5f4f132503edbc4918c98518fd504e3", GitTreeState:"clean", BuildDate:"2019-04-23T04:41:47Z", GoVersion:"go1.10.8", Compiler:"gc", Platform:"linux/amd64"}

kubectl describe cm authproxy-oauth2-proxy-accesslist -n ingress 给了我

Name:         authproxy-oauth2-proxy-accesslist
Namespace:    ingress
Labels:       app=oauth2-proxy
              chart=oauth2-proxy-0.13.0
              heritage=Tiller
              release=authproxy
Annotations:  <none>

Data
====
restricted_user_access:
----
abc@gmail.com
Events:  <none>

kubectl describe deployment authproxy-oauth2-proxy -n ingress 给了我:

Name:                   authproxy-oauth2-proxy
Namespace:              ingress
CreationTimestamp:      Wed, 31 Jul 2019 23:35:58 +0200
Labels:                 app=oauth2-proxy
                        chart=oauth2-proxy-0.13.0
                        heritage=Tiller
                        release=authproxy
Annotations:            deployment.kubernetes.io/revision=1
Selector:               app=oauth2-proxy,release=authproxy
Replicas:               1 desired | 1 updated | 1 total | 1 available | 0 unavailable
StrategyType:           RollingUpdate
MinReadySeconds:        0
RollingUpdateStrategy:  25% max unavailable, 25% max surge
Pod Template:
  Labels:       app=oauth2-proxy
                release=authproxy
  Annotations:  checksum/config=e2b420ec4978f9c8f5691b15c79b15a60c864499ad729df2776dca63a745aecc
                checksum/config-emails=4c24c472d9e274c18876d8a01f14a126b741d92942e4531c18fd288b86d648ad
                checksum/google-secret=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
                checksum/secret=b00f895c2fa3a3bc6028a660998b9872bee7c8aeb70b1bbe50183b65a06e1666
  Containers:
   oauth2-proxy:
    Image:      quay.io/pusher/oauth2_proxy:v3.2.0
    Port:       4180/TCP
    Host Port:  0/TCP
    Args:
      --http-address=0.0.0.0:4180
      --provider=github
      --config=/etc/oauth2_proxy/oauth2_proxy.cfg
      --authenticated-emails-file=/etc/oauth2-proxy/authenticated-emails-list
    Liveness:   http-get http://:http/ping delay=0s timeout=1s period=10s #success=1 #failure=3
    Readiness:  http-get http://:http/ping delay=0s timeout=1s period=10s #success=1 #failure=3
    Environment:
      OAUTH2_PROXY_CLIENT_ID:      <set to the key 'client-id' in secret 'authproxy-oauth2-proxy'>      Optional: false
      OAUTH2_PROXY_CLIENT_SECRET:  <set to the key 'client-secret' in secret 'authproxy-oauth2-proxy'>  Optional: false
      OAUTH2_PROXY_COOKIE_SECRET:  <set to the key 'cookie-secret' in secret 'authproxy-oauth2-proxy'>  Optional: false
    Mounts:
      /etc/oauth2-proxy from configaccesslist (ro)
      /etc/oauth2_proxy from configmain (rw)
  Volumes:
   configmain:
    Type:      ConfigMap (a volume populated by a ConfigMap)
    Name:      authproxy-oauth2-proxy
    Optional:  false
   configaccesslist:
    Type:      ConfigMap (a volume populated by a ConfigMap)
    Name:      authproxy-oauth2-proxy-accesslist
    Optional:  false
Conditions:
  Type           Status  Reason
  ----           ------  ------
  Progressing    True    NewReplicaSetAvailable
  Available      True    MinimumReplicasAvailable
OldReplicaSets:  authproxy-oauth2-proxy-559b67cb45 (1/1 replicas created)
NewReplicaSet:   <none>
Events:
  Type    Reason             Age   From                   Message
  ----    ------             ----  ----                   -------
  Normal  ScalingReplicaSet  44m   deployment-controller  Scaled up replica set authproxy-oauth2-proxy-559b67cb45 to 1

我应该如何向这个 helm 图表提供参数,以便它只允许访问在 authenticateEmailList 中提到其电子邮件 ID 的用户?

4

0 回答 0