AppsCode
  • KubeDB

    Run Production-Grade Databases on Kubernetes

    Stash

    Backup and Recovery Solution for Kubernetes

    KubeVault

    Run Production-Grade Vault on Kubernetes

    Voyager

    Secure Ingress Controller for Kubernetes

    ConfigSyncer

    Kubernetes Configuration Syncer

    Guard

    Kubernetes Authentication WebHook Server

    KubeDB

    KubeDB simplifies Provisioning, Upgrading, Scaling, Volume Expansion, Monitor, Backup, Restore for various Databases in Kubernetes on any Public & Private Cloud

    • check-boxLower administrative burden
    • check-boxNative Kubernetes Support
    • check-boxPerformance
    • check-boxAvailability and durability
    • check-boxManageability
    • check-boxCost-effectiveness
    • check-boxSecurity
    Stash

    A complete Kubernetes native disaster recovery solution for backup and restore your volumes and databases in Kubernetes on any public and private clouds.

    • check-boxDeclarative API
    • check-boxBackup Kubernetes Volumes
    • check-boxBackup Database
    • check-boxMultiple Storage Support
    • check-boxDeduplication
    • check-boxData Encryption
    • check-boxVolume Snapshot
    • check-boxPolicy Based Backup
    KubeVault

    KubeVault is a Git-Ops ready, production-grade solution for deploying and configuring Hashicorp's Vault on Kubernetes.

    • check-boxVault Kubernetes Deployment
    • check-boxAuto Initialization & Unsealing
    • check-boxVault Backup & Restore
    • check-boxConsume KubeVault Secrets with CSI
    • check-boxManage DB Users Privileges
    • check-boxStorage Backend
    • check-boxAuthentication Method
    • check-boxDatabase Secret Engine
    Voyager

    Secure Ingress Controller for Kubernetes

    • check-boxHTTP & TCP
    • check-boxSSL
    • check-boxPlatform support
    • check-boxHAProxy
    • check-boxPrometheus
    • check-boxLet's Encrypt
    configsyncer

    Kubernetes Configuration Syncer

    • check-boxConfiguration Syncer
    Guard

    Kubernetes Authentication WebHook Server

    • check-boxIdentity Providers
    • check-boxCLI
    • check-boxRBAC
  • RESOURCES
  • Webinar New
CONTACT SALES
Guard
github-icon twitterx-icon
TRY NOW FREE

guard run

Run server

guard run [flags]

Options

      --auth-providers strings                       name of providers for which guard will provide authentication service (required), supported providers : Azure/Github/Gitlab/Google/Ldap/Token-Auth
      --authz-providers strings                      name of providers for which guard will provide authorization service, supported providers : Azure
      --azure.aks-authz-token-url string             url to call for AKS Authz flow
      --azure.aks-token-url string                   url to call for AKS OBO flow
      --azure.allow-nonres-discovery-path-access     allow access on Non Resource paths required for discovery, setting it false will require explicit non resource path role assignment for all users in Azure RBAC (default true)
      --azure.arm-call-limit int                     No of calls before which webhook switch to new ARM instance to avoid throttling (default 2000)
      --azure.auth-mode string                       auth mode to call graph api, valid value is either aks, obo, client-credential or passthrough (default "client-credential")
      --azure.authz-mode string                      authz mode to call RBAC api, valid values are either aks, arc, or fleet
      --azure.client-id string                       MS Graph application client ID to use
      --azure.client-secret string                   MS Graph application client secret to use
      --azure.discover-resources                     fetch list of resources and operations from apiserver and azure. Default: false
      --azure.enable-pop                             Enabling pop token verification
      --azure.environment string                     Azure cloud environment
      --azure.graph-call-on-overage-claim            set to true to resolve group membership only when overage claim is present. setting to false will always call graph api to resolve group membership
      --azure.kubeconfig-file string                 path to the kubeconfig of cluster.
      --azure.pop-hostname string                    hostname used to run the pop hostname verification; 'u' claim
      --azure.pop-token-validity-duration duration   time duration for PoP token to be considered valid from creation time, default 15 min (default 15ns)
      --azure.resource-id string                     azure cluster resource id (//subscription/<subName>/resourcegroups/<RGname>/providers/Microsoft.ContainerService/managedClusters/<clustername> for AKS, //subscription/<subName>/resourcegroups/<RGname>/providers/Microsoft.ContainerService/fleets/<clustername> for Azure Kubernetes Fleet Manager, or //subscription/<subName>/resourcegroups/<RGname>/providers/Microsoft.Kubernetes/connectedClusters/<clustername> for arc) to be used as scope for RBAC check
      --azure.skip-authz-check strings               name of usernames/email for which authz check will be skipped
      --azure.skip-authz-for-non-aad-users           skip authz for non AAD users (default true)
      --azure.skip-group-membership-resolution       when set to true, this will bypass getting group membership from graph api
      --azure.tenant-id string                       MS Graph application tenant id to use
      --azure.use-group-uid                          Use group UID for authentication instead of group display name (default true)
      --azure.use-ns-resource-scope-format           use namespace as resource scope format for making rbac checkaccess calls at namespace scope
      --azure.verify-clientID                        set to true to validate token's audience claim matches clientID
      --clock-check-interval duration                Interval between checking time against NTP servers, set to 0 to disable checks (default 10m0s)
      --github.base-url string                       Base url for enterprise, keep empty to use default github base url
      --gitlab.base-url string                       Base url for GitLab, including the API path, keep empty to use default gitlab base url.
      --gitlab.use-group-id                          Use group ID for authentication instead of group full path
      --google.admin-email string                    Email of G Suite administrator
      --google.sa-json-file string                   Path to Google service account json file
  -h, --help                                         help for run
      --ldap.auth-choice AuthChoice                  LDAP user authentication mechanisms Simple/Kerberos(via GSSAPI) (default Simple)
      --ldap.bind-dn string                          The connector uses this DN in credentials to search for users and groups. Not required if the LDAP server provides access for anonymous auth.
      --ldap.bind-password string                    The connector uses this password in credentials to search for users and groups. Not required if the LDAP server provides access for anonymous auth.
      --ldap.ca-cert-file string                     ca cert file that used for self signed server certificate
      --ldap.group-member-attribute string           Ldap group member attribute (default "member")
      --ldap.group-name-attribute string             Ldap group name attribute (default "cn")
      --ldap.group-search-dn string                  BaseDN to start the search group
      --ldap.group-search-filter string              Filter to apply when searching the groups that user is member of (default "(objectClass=groupOfNames)")
      --ldap.is-secure-ldap                          Secure LDAP (LDAPS)
      --ldap.keytab-file string                      path to the keytab file, it's contain LDAP service principal keys
      --ldap.server-address string                   Host or IP of the LDAP server
      --ldap.server-port string                      LDAP server port (default "389")
      --ldap.service-account string                  service account name
      --ldap.skip-tls-verification                   Skip LDAP server TLS verification, default : false
      --ldap.start-tls                               Start tls connection
      --ldap.user-attribute string                   Ldap username attribute (default "uid")
      --ldap.user-search-dn string                   BaseDN to start the search user
      --ldap.user-search-filter string               Filter to apply when searching user (default "(objectClass=person)")
      --max-clock-skew duration                      Max acceptable clock skew for server clock (default 2m0s)
      --ntp-server string                            Address of NTP serer used to check clock skew (default "0.pool.ntp.org")
      --secure-addr string                           host:port used to serve secure apis (default ":8443")
      --server-read-timeout duration                 Guard http server read timeout. Default is 5 seconds. (default 5s)
      --server-write-timeout duration                Guard http server write timeout. Default is 10 seconds. (default 10s)
      --tls-ca-file string                           File containing CA certificate
      --tls-cert-file string                         File container server TLS certificate
      --tls-private-key-file string                  File containing server TLS private key
      --token-auth-file string                       To enable static token authentication

SEE ALSO

  • guard - Guard by AppsCode - Kubernetes Authentication WebHook Server

What's on this Page

Search
Improve This Page