Kubernetes Deployment Reference
Pomerium-specific parameters should be configured via the ingress.pomerium.io/Pomerium
CRD. The default Pomerium deployment is listening to the CRD global
, that may be customized via command line parameters.
Pomerium posts updates to the CRD /status
:
kubectl describe pomerium
Kubernetes-specific deployment parameters should be added via kustomize
to the manifests.
Spec
PomeriumSpec defines Pomerium-specific configuration parameters.
AccessLogFields sets the access fields to log. |
Authenticate sets authenticate service parameters. If not specified, a Pomerium-hosted authenticate service would be used. |
AuthorizeLogFields sets the authorize fields to log. |
CASecret should refer to k8s secrets with key |
Certificates is a list of secrets of type TLS to use Format: reference to Kubernetes resource with namespace prefix:namespace/name format. |
Cookie defines Pomerium session cookie options. |
IdentityProvider configure single-sign-on authentication and user identity details by integrating with your Identity Provider |
JWTClaimHeaders convert claims from the assertion token into HTTP headers and adds them into JWT assertion header. Please make sure to read Getting User Identity guide. |
ProgrammaticRedirectDomains specifies a list of domains that can be used for programmatic redirects. |
Required. Secrets references a Secret with Pomerium bootstrap parameters.
In a default Pomerium installation manifest, they would be generated via a one-time job and stored in a namespace/name format. |
SetResponseHeaders specifies a mapping of HTTP Header to be added globally to all managed routes and pomerium's authenticate service. See Set Response Headers |
Storage defines persistent storage for sessions and other data. See Storage for details. If no storage is specified, Pomerium would use a transient in-memory storage (not recommended for production). |
Timeout specifies the global timeouts for all routes. |
UseProxyProtocol enables Proxy Protocol support. |
authenticate
Authenticate sets authenticate service parameters. If not specified, a Pomerium-hosted authenticate service would be used.
CallbackPath sets the path at which the authenticate service receives callback responses from your identity provider. The value must exactly match one of the authorized redirect URIs for the OAuth 2.0 client. This value is referred to as the redirect_url in the OpenIDConnect and OAuth2 specs. Defaults to |
Required. AuthenticateURL is a dedicated domain URL the non-authenticated persons would be referred to.
|
cookie
Cookie defines Pomerium session cookie options.
Domain defaults to the same host that set the cookie. If you specify the domain explicitly, then subdomains would also be included. |
Expire sets cookie and Pomerium session expiration time. Once session expires, users would have to re-login. If you change this parameter, existing sessions are not affected. See Session Management (Enterprise) for a more fine-grained session controls. Defaults to 14 hours. Format: a duration string like "22s" as parsed by Golang time.ParseDuration. |
HTTPOnly if set to |
Name sets the Pomerium session cookie name. Defaults to |
SameSite sets the SameSite option for cookies. Defaults to |
Secure if set to false, would make a cookie accessible over insecure protocols (HTTP). Defaults to |
identityProvider
IdentityProvider configure single-sign-on authentication and user identity details by integrating with your Identity Provider
Required. Provider is the short-hand name of a built-in OpenID Connect (oidc) identity provider to be used for authentication. To use a generic provider, set to |
RefreshDirectory is no longer supported, please see Upgrade Guide. |
RequestParams to be added as part of a sign-in request using OAuth2 code flow. |
RequestParamsSecret is a reference to a secret for additional parameters you'd prefer not to provide in plaintext. Format: reference to Kubernetes resource with namespace prefix:namespace/name format. |
Scopes Identity provider scopes correspond to access privilege scopes as defined in Section 3.3 of OAuth 2.0 RFC6749. |
Required. Secret containing IdP provider specific parameters. and must contain at least namespace/name format. |
ServiceAccountFromSecret is no longer supported, see Upgrade Guide. |
URL is the base path to an identity provider's OpenID connect discovery document. See Identity Providers guides for details. Format: an URI as parsed by Golang net/url.ParseRequestURI. |
postgres
Postgres specifies PostgreSQL database connection parameters
CASecret should refer to a k8s secret with key namespace/name format. |
Required. Secret specifies a name of a Secret that must contain namespace/name format. |
TLSSecret should refer to a k8s secret of type namespace/name format. |
redis
Redis defines REDIS connection parameters
CASecret should refer to a k8s secret with key namespace/name format. |
Required. Secret specifies a name of a Secret that must contain namespace/name format. |
TLSSecret should refer to a k8s secret of type namespace/name format. |
TLSSkipVerify disables TLS certificate chain validation. |
refreshDirectory
RefreshDirectory is no longer supported, please see Upgrade Guide.
Required. interval is the time that pomerium will sync your IDP directory. Format: a duration string like "22s" as parsed by Golang time.ParseDuration. |
Required. timeout is the maximum time allowed each run. Format: a duration string like "22s" as parsed by Golang time.ParseDuration. |
storage
Storage defines persistent storage for sessions and other data. See Storage for details. If no storage is specified, Pomerium would use a transient in-memory storage (not recommended for production).
Postgres specifies PostgreSQL database connection parameters |
Redis defines REDIS connection parameters |
timeouts
Timeout specifies the global timeouts for all routes.
Idle specifies the time at which a downstream or upstream connection will be terminated if there are no active streams. Format: a duration string like "22s" as parsed by Golang time.ParseDuration. |
Read specifies the amount of time for the entire request stream to be received from the client. Format: a duration string like "22s" as parsed by Golang time.ParseDuration. |
Write specifies max stream duration is the maximum time that a stream’s lifetime will span. An HTTP request/response exchange fully consumes a single stream. Therefore, this value must be greater than read_timeout as it covers both request and response time. Format: a duration string like "22s" as parsed by Golang time.ParseDuration. |
Status
PomeriumStatus represents configuration and Ingress status.
Routes provide per-Ingress status. |
SettingsStatus represent most recent main configuration reconciliation status. |
ingress
ResourceStatus represents the outcome of the latest attempt to reconcile relevant Kubernetes resource with Pomerium.
Error that prevented latest observedGeneration to be synchronized with Pomerium. |
ObservedAt is when last reconciliation attempt was made. Format: a date time string like "2014-12-15T19:30:20.000Z" as defined by date-time in RFC3339. |
ObservedGeneration represents the |
Required. Reconciled is whether this object generation was successfully synced with pomerium. |
Warnings while parsing the resource. |
settingsStatus
SettingsStatus represent most recent main configuration reconciliation status.
Error that prevented latest observedGeneration to be synchronized with Pomerium. |
ObservedAt is when last reconciliation attempt was made. Format: a date time string like "2014-12-15T19:30:20.000Z" as defined by date-time in RFC3339. |
ObservedGeneration represents the |
Required. Reconciled is whether this object generation was successfully synced with pomerium. |
Warnings while parsing the resource. |