guard run

Run server

guard run [flags]


      --auth-providers strings                       name of providers for which guard will provide authentication service (required), supported providers : Azure/Github/Gitlab/Google/Ldap/Token-Auth
      --authz-providers strings                      name of providers for which guard will provide authorization service, supported providers : Azure
      --azure.aks-authz-token-url string             url to call for AKS Authz flow
      --azure.aks-token-url string                   url to call for AKS OBO flow
      --azure.allow-nonres-discovery-path-access     allow access on Non Resource paths required for discovery, setting it false will require explicit non resource path role assignment for all users in Azure RBAC (default true)
      --azure.arm-call-limit int                     No of calls before which webhook switch to new ARM instance to avoid throttling (default 2000)
      --azure.auth-mode string                       auth mode to call graph api, valid value is either aks, obo, client-credential or passthrough (default "client-credential")
      --azure.authz-mode string                      authz mode to call RBAC api, valid values are either aks, arc, or fleet
      --azure.client-id string                       MS Graph application client ID to use
      --azure.client-secret string                   MS Graph application client secret to use                     fetch list of resources and operations from apiserver and azure. Default: false
      --azure.enable-pop                             Enabling pop token verification
      --azure.environment string                     Azure cloud environment
      --azure.graph-call-on-overage-claim            set to true to resolve group membership only when overage claim is present. setting to false will always call graph api to resolve group membership
      --azure.kubeconfig-file string                 path to the kubeconfig of cluster.
      --azure.pop-hostname string                    hostname used to run the pop hostname verification; 'u' claim
      --azure.pop-token-validity-duration duration   time duration for PoP token to be considered valid from creation time, default 15 min (default 15ns)
      --azure.resource-id string                     azure cluster resource id (//subscription/<subName>/resourcegroups/<RGname>/providers/Microsoft.ContainerService/managedClusters/<clustername> for AKS, //subscription/<subName>/resourcegroups/<RGname>/providers/Microsoft.ContainerService/fleets/<clustername> for Azure Kubernetes Fleet Manager, or //subscription/<subName>/resourcegroups/<RGname>/providers/Microsoft.Kubernetes/connectedClusters/<clustername> for arc) to be used as scope for RBAC check
      --azure.skip-authz-check strings               name of usernames/email for which authz check will be skipped
      --azure.skip-authz-for-non-aad-users           skip authz for non AAD users (default true)
      --azure.skip-group-membership-resolution       when set to true, this will bypass getting group membership from graph api
      --azure.tenant-id string                       MS Graph application tenant id to use
      --azure.use-group-uid                          Use group UID for authentication instead of group display name (default true)
      --azure.use-ns-resource-scope-format           use namespace as resource scope format for making rbac checkaccess calls at namespace scope
      --azure.verify-clientID                        set to true to validate token's audience claim matches clientID
      --clock-check-interval duration                Interval between checking time against NTP servers, set to 0 to disable checks (default 10m0s)
      --github.base-url string                       Base url for enterprise, keep empty to use default github base url
      --gitlab.base-url string                       Base url for GitLab, including the API path, keep empty to use default gitlab base url.
      --gitlab.use-group-id                          Use group ID for authentication instead of group full path
      --google.admin-email string                    Email of G Suite administrator string                   Path to Google service account json file
  -h, --help                                         help for run
      --ldap.auth-choice AuthChoice                  LDAP user authentication mechanisms Simple/Kerberos(via GSSAPI) (default Simple)
      --ldap.bind-dn string                          The connector uses this DN in credentials to search for users and groups. Not required if the LDAP server provides access for anonymous auth.
      --ldap.bind-password string                    The connector uses this password in credentials to search for users and groups. Not required if the LDAP server provides access for anonymous auth. string                     ca cert file that used for self signed server certificate string           Ldap group member attribute (default "member") string             Ldap group name attribute (default "cn") string                  BaseDN to start the search group string              Filter to apply when searching the groups that user is member of (default "(objectClass=groupOfNames)")                          Secure LDAP (LDAPS)
      --ldap.keytab-file string                      path to the keytab file, it's contain LDAP service principal keys
      --ldap.server-address string                   Host or IP of the LDAP server
      --ldap.server-port string                      LDAP server port (default "389")
      --ldap.service-account string                  service account name
      --ldap.skip-tls-verification                   Skip LDAP server TLS verification, default : false
      --ldap.start-tls                               Start tls connection
      --ldap.user-attribute string                   Ldap username attribute (default "uid")
      --ldap.user-search-dn string                   BaseDN to start the search user
      --ldap.user-search-filter string               Filter to apply when searching user (default "(objectClass=person)")
      --max-clock-skew duration                      Max acceptable clock skew for server clock (default 2m0s)
      --ntp-server string                            Address of NTP serer used to check clock skew (default "")
      --secure-addr string                           host:port used to serve secure apis (default ":8443")
      --server-read-timeout duration                 Guard http server read timeout. Default is 5 seconds. (default 5s)
      --server-write-timeout duration                Guard http server write timeout. Default is 10 seconds. (default 10s)
      --tls-ca-file string                           File containing CA certificate
      --tls-cert-file string                         File container server TLS certificate
      --tls-private-key-file string                  File containing server TLS private key
      --token-auth-file string                       To enable static token authentication


