guard run
Run server
guard run [flags]
Options
--auth-providers strings name of providers for which guard will provide authentication service (required), supported providers : Azure/Github/Gitlab/Google/Ldap/Token-Auth
--authz-providers strings name of providers for which guard will provide authorization service, supported providers : Azure
--azure.aks-authz-token-url string url to call for AKS Authz flow
--azure.aks-token-url string url to call for AKS OBO flow
--azure.allow-nonres-discovery-path-access allow access on Non Resource paths required for discovery, setting it false will require explicit non resource path role assignment for all users in Azure RBAC (default true)
--azure.arm-call-limit int No of calls before which webhook switch to new ARM instance to avoid throttling (default 2000)
--azure.auth-mode string auth mode to call graph api, valid value is either aks, obo, client-credential or passthrough (default "client-credential")
--azure.authz-mode string authz mode to call RBAC api, valid values are either aks, arc, or fleet
--azure.client-id string MS Graph application client ID to use
--azure.client-secret string MS Graph application client secret to use
--azure.discover-resources fetch list of resources and operations from apiserver and azure. Default: false
--azure.enable-pop Enabling pop token verification
--azure.environment string Azure cloud environment
--azure.graph-call-on-overage-claim set to true to resolve group membership only when overage claim is present. setting to false will always call graph api to resolve group membership
--azure.kubeconfig-file string path to the kubeconfig of cluster.
--azure.pop-hostname string hostname used to run the pop hostname verification; 'u' claim
--azure.pop-token-validity-duration duration time duration for PoP token to be considered valid from creation time, default 15 min (default 15ns)
--azure.resource-id string azure cluster resource id (//subscription/<subName>/resourcegroups/<RGname>/providers/Microsoft.ContainerService/managedClusters/<clustername> for AKS, //subscription/<subName>/resourcegroups/<RGname>/providers/Microsoft.ContainerService/fleets/<clustername> for Azure Kubernetes Fleet Manager, or //subscription/<subName>/resourcegroups/<RGname>/providers/Microsoft.Kubernetes/connectedClusters/<clustername> for arc) to be used as scope for RBAC check
--azure.skip-authz-check strings name of usernames/email for which authz check will be skipped
--azure.skip-authz-for-non-aad-users skip authz for non AAD users (default true)
--azure.skip-group-membership-resolution when set to true, this will bypass getting group membership from graph api
--azure.tenant-id string MS Graph application tenant id to use
--azure.use-group-uid Use group UID for authentication instead of group display name (default true)
--azure.use-ns-resource-scope-format use namespace as resource scope format for making rbac checkaccess calls at namespace scope
--azure.verify-clientID set to true to validate token's audience claim matches clientID
--clock-check-interval duration Interval between checking time against NTP servers, set to 0 to disable checks (default 10m0s)
--github.base-url string Base url for enterprise, keep empty to use default github base url
--gitlab.base-url string Base url for GitLab, including the API path, keep empty to use default gitlab base url.
--gitlab.use-group-id Use group ID for authentication instead of group full path
--google.admin-email string Email of G Suite administrator
--google.sa-json-file string Path to Google service account json file
-h, --help help for run
--ldap.auth-choice AuthChoice LDAP user authentication mechanisms Simple/Kerberos(via GSSAPI) (default Simple)
--ldap.bind-dn string The connector uses this DN in credentials to search for users and groups. Not required if the LDAP server provides access for anonymous auth.
--ldap.bind-password string The connector uses this password in credentials to search for users and groups. Not required if the LDAP server provides access for anonymous auth.
--ldap.ca-cert-file string ca cert file that used for self signed server certificate
--ldap.group-member-attribute string Ldap group member attribute (default "member")
--ldap.group-name-attribute string Ldap group name attribute (default "cn")
--ldap.group-search-dn string BaseDN to start the search group
--ldap.group-search-filter string Filter to apply when searching the groups that user is member of (default "(objectClass=groupOfNames)")
--ldap.is-secure-ldap Secure LDAP (LDAPS)
--ldap.keytab-file string path to the keytab file, it's contain LDAP service principal keys
--ldap.server-address string Host or IP of the LDAP server
--ldap.server-port string LDAP server port (default "389")
--ldap.service-account string service account name
--ldap.skip-tls-verification Skip LDAP server TLS verification, default : false
--ldap.start-tls Start tls connection
--ldap.user-attribute string Ldap username attribute (default "uid")
--ldap.user-search-dn string BaseDN to start the search user
--ldap.user-search-filter string Filter to apply when searching user (default "(objectClass=person)")
--max-clock-skew duration Max acceptable clock skew for server clock (default 2m0s)
--ntp-server string Address of NTP serer used to check clock skew (default "0.pool.ntp.org")
--secure-addr string host:port used to serve secure apis (default ":8443")
--server-read-timeout duration Guard http server read timeout. Default is 5 seconds. (default 5s)
--server-write-timeout duration Guard http server write timeout. Default is 10 seconds. (default 10s)
--tls-ca-file string File containing CA certificate
--tls-cert-file string File container server TLS certificate
--tls-private-key-file string File containing server TLS private key
--token-auth-file string To enable static token authentication
SEE ALSO
- guard - Guard by AppsCode - Kubernetes Authentication WebHook Server