-
Notifications
You must be signed in to change notification settings - Fork 14.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update kubelet authentication/authorization docs #1684
Conversation
7c230e1
to
14dd707
Compare
14dd707
to
4a0963b
Compare
cc @kubernetes/docs |
cc @kubernetes/sig-auth |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On question but otherwise lgtm
name should be as depicted: | ||
|
||
``` | ||
02b50b05283e98dd0fd71db496ef01e8,kubelet-bootstrap,10001,"system:kubelet-bootstrap" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we have a set of authorization rules for this user group? I know that this requires the bootstrap token to only have access to specific sub resources (or it can auto approve its own request).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this was just a move of the existing doc, and this is just an example group... there's nothing in-tree that actually uses that group name
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
okay nvm. I've opened #1703
By default, requests to the kubelet's HTTPS endpoint that are not rejected by other configured | ||
authentication methods are treated as anonymous requests, and given a username of `system:anonymous` | ||
and a group of `system:unauthenticated`. To disable anonymous access: | ||
* start the kubelet with the `--anonymous-auth=false` flag |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does disabling this result in getting a user named "" or a 401?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
401
question, looks good otherwise. |
4a0963b
to
d8201b7
Compare
The docs content looks good, but the new docs should have a home under "reference" in the left nav. Can you add them to _data/reference.yml? |
d8201b7
to
1abeeb6
Compare
added |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a few minor nits.
``` | ||
|
||
## kubelet configuration | ||
To use request a client cert from the certificate request API, the kubelet needs a path to a kubeconfig file that contains the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you perhaps mean:
To request a client cert from the certificate request API, the kubelet needs a path to the kubeconfig file that contains the ...
The phrase To use request
seems a bit odd.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this was a straight move of the content in kubelet-tls-bootstrapping.md
, I'd rather save content changes in that file for a follow-up
An administrator can list CSRs with `kubectl get csr`, describe one in detail with `kubectl describe <name>`. There are | ||
[currently no direct approve/deny commands](https://github.com/kubernetes/kubernetes/issues/30163) so an approver will need to update | ||
the Status field directly. A rough example of how to do this in bash which should only be used until the porcelain merges is available | ||
at https://github.com/gtank/csrctl. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Consider link-ifying that url:
at [https://github.com/gtank/csrctl](https://github.com/gtank/csrctl)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
* TOC | ||
{:toc} | ||
|
||
## Summary |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we use "Summary" anywhere. Go with "Overview".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
|
||
## Summary | ||
|
||
The kubelet's HTTPS endpoint exposes APIs which give access to data of varying sensitivity, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The kubelet -> a kubelet (there's more than one)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
## Summary | ||
|
||
The kubelet's HTTPS endpoint exposes APIs which give access to data of varying sensitivity, | ||
and allow performing operations of varying power on the node and within containers. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
By "varying power" do you mean "requiring stronger/weaker permissions"?
How about:
"and allow you to perform operations with varying levels of power on the node and within containers."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
* TOC | ||
{:toc} | ||
|
||
## Summary |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/Summary/Overview
|
||
## Summary | ||
|
||
This document describes setting up TLS client certificate bootstrapping for kubelets. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"This document describes how to set up the TLS client certificate boostrapping for kubelets."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
## Summary | ||
|
||
This document describes setting up TLS client certificate bootstrapping for kubelets. | ||
Kubernetes 1.4 introduces an experimental API for requesting certificates from a cluster-level |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this text be updated for version 1.5?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll leave that as a follow up for @mikedanese, this PR just moved the content to its own file
@liggitt , a few more comments. Would you mind resolving all the any outstanding comments before I can apply Docs LGTM? |
1abeeb6
to
2940a24
Compare
@liggitt , thank you! This is ready to merge. |
Docs for Authenticated/Authorized access to kubelet API feature
This change is