About the user agent

Azure Red Hat OpenShift implements a user agent that can be used to prevent an application developer’s CLI accessing the Azure Red Hat OpenShift API. If a client uses a particular library or binary file, they cannot access the Azure Red Hat OpenShift API.

You construct user agents for the Azure Red Hat OpenShift CLI from a set of values within Azure Red Hat OpenShift:

<command>/<version> (<platform>/<architecture>) <client>/<git_commit>

For example, when:

  • <command> = oc

  • <version> = The client version. For example, v4.3.0. Requests made against the Kubernetes API at /api receive the Kubernetes version, while requests made against the Azure Red Hat OpenShift API at /oapi receive the Azure Red Hat OpenShift version (as specified by oc version)

  • <platform> = linux

  • <architecture> = amd64

  • <client> = openshift, or kubernetes depending on if the request is made against the Kubernetes API at /api, or the Azure Red Hat OpenShift API at /oapi

  • <git_commit> = The Git commit of the client version (for example, f034127)

the user agent is:

oc/v3.3.0 (linux/amd64) openshift/f034127

Configuring the user agent

As an administrator, you can prevent clients from accessing the API with the userAgentMatching configuration setting of a master configuration.

Procedure
  • Modify the master configuration file to include the user agent configuration. For example, the following user agent denies the Kubernetes 1.2 client binary, OKD 1.1.3 binary, and the POST and PUT httpVerbs:

    policyConfig:
      userAgentMatchingConfig:
        defaultRejectionMessage: "Your client is too old.  Go to https://example.org to update it."
        deniedClients:
        - regex: '\w+/v(?:(?:1\.1\.1)|(?:1\.0\.1)) \(.+/.+\) openshift/\w{7}'
        - regex: '\w+/v(?:1\.1\.3) \(.+/.+\) openshift/\w{7}'
          httpVerbs:
          - POST
          - PUT
        - regex: '\w+/v1\.2\.0 \(.+/.+\) kubernetes/\w{7}'
          httpVerbs:
          - POST
          - PUT
        requiredClients: null

    The following example denies clients that do not exactly match an expected client:

    policyConfig:
      userAgentMatchingConfig:
        defaultRejectionMessage: "Your client is too old.  Go to https://example.org to update it."
        deniedClients: []
        requiredClients:
        - regex: '\w+/v1\.1\.3 \(.+/.+\) openshift/\w{7}'
        - regex: '\w+/v1\.2\.0 \(.+/.+\) kubernetes/\w{7}'
          httpVerbs:
          - POST
          - PUT