This is a cache of https://docs.openshift.com/container-platform/4.4/authentication/configuring-user-agent.html. It is a snapshot of the page at 2024-11-28T01:18:01.747+0000.
Configuring the user agent | Authentication and authorization | OpenShift Container Platform 4.4
×

About the user agent

OpenShift Container Platform implements a user agent that can be used to prevent an application developer’s CLI accessing the OpenShift Container Platform API. If a client uses a particular library or binary file, they cannot access the OpenShift Container Platform API.

You construct user agents for the OpenShift Container Platform CLI from a set of values within OpenShift Container Platform:

<command>/<version> (<platform>/<architecture>) <client>/<git_commit>

For example, when:

  • <command> = oc

  • <version> = The client version. For example, v4.3.0. Requests made against the Kubernetes API at /api receive the Kubernetes version, while requests made against the OpenShift Container Platform API at /oapi receive the OpenShift Container Platform version (as specified by oc version)

  • <platform> = linux

  • <architecture> = amd64

  • <client> = openshift, or kubernetes depending on if the request is made against the Kubernetes API at /api, or the OpenShift Container Platform API at /oapi

  • <git_commit> = The Git commit of the client version (for example, f034127)

the user agent is:

oc/v3.3.0 (linux/amd64) openshift/f034127

Configuring the user agent

As an administrator, you can prevent clients from accessing the API with the userAgentMatching configuration setting of a master configuration.

Procedure
  • Modify the master configuration file to include the user agent configuration. For example, the following user agent denies the Kubernetes 1.2 client binary, OKD 1.1.3 binary, and the POST and PUT httpVerbs:

    policyConfig:
      userAgentMatchingConfig:
        defaultRejectionMessage: "Your client is too old.  Go to https://example.org to update it."
        deniedClients:
        - regex: '\w+/v(?:(?:1\.1\.1)|(?:1\.0\.1)) \(.+/.+\) openshift/\w{7}'
        - regex: '\w+/v(?:1\.1\.3) \(.+/.+\) openshift/\w{7}'
          httpVerbs:
          - POST
          - PUT
        - regex: '\w+/v1\.2\.0 \(.+/.+\) kubernetes/\w{7}'
          httpVerbs:
          - POST
          - PUT
        requiredClients: null

    The following example denies clients that do not exactly match an expected client:

    policyConfig:
      userAgentMatchingConfig:
        defaultRejectionMessage: "Your client is too old.  Go to https://example.org to update it."
        deniedClients: []
        requiredClients:
        - regex: '\w+/v1\.1\.3 \(.+/.+\) openshift/\w{7}'
        - regex: '\w+/v1\.2\.0 \(.+/.+\) kubernetes/\w{7}'
          httpVerbs:
          - POST
          - PUT