Kubernetes Deployment Reference
Pomerium-specific parameters should be configured via the ingress.pomerium.io/Pomerium
CRD. The default Pomerium deployment is listening to the CRD global
, that may be customized via command line parameters.
Pomerium posts updates to the CRD /status
:
kubectl describe pomerium
Kubernetes-specific deployment parameters should be added via kustomize
to the manifests.
Spec
PomeriumSpec defines Pomerium-specific configuration parameters.
[]string AccessLogFields sets the access fields to log. |
object (authenticate) Authenticate sets authenticate service parameters. If not specified, a Pomerium-hosted authenticate service would be used. |
[]string AuthorizeLogFields sets the authorize fields to log. |
[]string CASecret should refer to k8s secrets with key |
[]string (namespace/name) Certificates is a list of secrets of type TLS to use Format: reference to Kubernetes resource with namespace prefix: |
object (cookie) Cookie defines Pomerium session cookie options. |
object (identityProvider) IdentityProvider configure single-sign-on authentication and user identity details by integrating with your Identity Provider |
JWTClaimHeaders convert claims from the assertion token into HTTP headers and adds them into JWT assertion header. Please make sure to read Getting User Identity guide. |
boolean PassIdentityHeaders sets the pass identity headers option. |
[]string ProgrammaticRedirectDomains specifies a list of domains that can be used for programmatic redirects. |
RuntimeFlags sets the runtime flags to enable/disable certain features. |
string (namespace/name) Required. Secrets references a Secret with Pomerium bootstrap parameters.
In a default Pomerium installation manifest, they would be generated via a one-time job and stored in a Format: reference to Kubernetes resource with namespace prefix: |
SetResponseHeaders specifies a mapping of HTTP Header to be added globally to all managed routes and pomerium's authenticate service. See Set Response Headers |
object (storage) Storage defines persistent storage for sessions and other data. See Storage for details. If no storage is specified, Pomerium would use a transient in-memory storage (not recommended for production). |
object (timeouts) Timeout specifies the global timeouts for all routes. |
boolean UseProxyProtocol enables Proxy Protocol support. |
authenticate
Authenticate sets authenticate service parameters. If not specified, a Pomerium-hosted authenticate service would be used.
string CallbackPath sets the path at which the authenticate service receives callback responses from your identity provider. The value must exactly match one of the authorized redirect URIs for the OAuth 2.0 client. This value is referred to as the redirect_url in the OpenIDConnect and OAuth2 specs. Defaults to |
string (uri) Required. AuthenticateURL is a dedicated domain URL the non-authenticated persons would be referred to.
Format: an URI as parsed by Golang net/url.ParseRequestURI. |
cookie
Cookie defines Pomerium session cookie options.
string Domain defaults to the same host that set the cookie. If you specify the domain explicitly, then subdomains would also be included. |
string (duration) Expire sets cookie and Pomerium session expiration time. Once session expires, users would have to re-login. If you change this parameter, existing sessions are not affected. See Session Management (Enterprise) for a more fine-grained session controls. Defaults to 14 hours. Format: a duration string like "22s" as parsed by Golang time.ParseDuration. |
boolean HTTPOnly if set to |
string Name sets the Pomerium session cookie name. Defaults to |
string SameSite sets the SameSite option for cookies. Defaults to |
identityProvider
IdentityProvider configure single-sign-on authentication and user identity details by integrating with your Identity Provider
string Required.
Provider is the short-hand name of a built-in OpenID Connect (oidc) identity provider to be used for authentication. To use a generic provider, set to |
object (refreshDirectory) RefreshDirectory is no longer supported, please see Upgrade Guide. |
|