Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update kubelet authentication/authorization docs #1684

Merged
merged 5 commits into from
Dec 4, 2016

Conversation

liggitt
Copy link
Member

@liggitt liggitt commented Nov 15, 2016

Docs for Authenticated/Authorized access to kubelet API feature

This change is Reviewable

@liggitt
Copy link
Member Author

liggitt commented Nov 15, 2016

cc @kubernetes/docs

@liggitt
Copy link
Member Author

liggitt commented Nov 15, 2016

cc @kubernetes/sig-auth

@liggitt liggitt added this to the 1.5 milestone Nov 15, 2016
Copy link
Contributor

@ericchiang ericchiang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On question but otherwise lgtm

name should be as depicted:

```
02b50b05283e98dd0fd71db496ef01e8,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we have a set of authorization rules for this user group? I know that this requires the bootstrap token to only have access to specific sub resources (or it can auto approve its own request).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this was just a move of the existing doc, and this is just an example group... there's nothing in-tree that actually uses that group name

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

okay nvm. I've opened #1703

By default, requests to the kubelet's HTTPS endpoint that are not rejected by other configured
authentication methods are treated as anonymous requests, and given a username of `system:anonymous`
and a group of `system:unauthenticated`. To disable anonymous access:
* start the kubelet with the `--anonymous-auth=false` flag
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does disabling this result in getting a user named "" or a 401?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

401

@deads2k
Copy link
Contributor

deads2k commented Nov 18, 2016

question, looks good otherwise.

@jaredbhatti
Copy link
Contributor

The docs content looks good, but the new docs should have a home under "reference" in the left nav. Can you add them to _data/reference.yml?
https://github.com/kubernetes/kubernetes.github.io/blob/master/_data/reference.yml

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Nov 22, 2016
@liggitt
Copy link
Member Author

liggitt commented Nov 22, 2016

added

Copy link
Contributor

@SEJeff SEJeff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a few minor nits.

```

## kubelet configuration
To use request a client cert from the certificate request API, the kubelet needs a path to a kubeconfig file that contains the
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you perhaps mean:

To request a client cert from the certificate request API, the kubelet needs a path to the kubeconfig file that contains the ...

The phrase To use request seems a bit odd.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this was a straight move of the content in kubelet-tls-bootstrapping.md, I'd rather save content changes in that file for a follow-up

An administrator can list CSRs with `kubectl get csr`, describe one in detail with `kubectl describe <name>`. There are
[currently no direct approve/deny commands](https://github.com/kubernetes/kubernetes/issues/30163) so an approver will need to update
the Status field directly. A rough example of how to do this in bash which should only be used until the porcelain merges is available
at https://github.com/gtank/csrctl.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider link-ifying that url:

at [https://github.com/gtank/csrctl](https://github.com/gtank/csrctl)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

* TOC
{:toc}

## Summary
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we use "Summary" anywhere. Go with "Overview".

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done


## Summary

The kubelet's HTTPS endpoint exposes APIs which give access to data of varying sensitivity,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The kubelet -> a kubelet (there's more than one)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

## Summary

The kubelet's HTTPS endpoint exposes APIs which give access to data of varying sensitivity,
and allow performing operations of varying power on the node and within containers.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

By "varying power" do you mean "requiring stronger/weaker permissions"?

How about:
"and allow you to perform operations with varying levels of power on the node and within containers."

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

* TOC
{:toc}

## Summary
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/Summary/Overview


## Summary

This document describes setting up TLS client certificate bootstrapping for kubelets.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"This document describes how to set up the TLS client certificate boostrapping for kubelets."

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

## Summary

This document describes setting up TLS client certificate bootstrapping for kubelets.
Kubernetes 1.4 introduces an experimental API for requesting certificates from a cluster-level
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this text be updated for version 1.5?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll leave that as a follow up for @mikedanese, this PR just moved the content to its own file

@devin-donnelly
Copy link
Contributor

@liggitt , a few more comments. Would you mind resolving all the any outstanding comments before I can apply Docs LGTM?

@devin-donnelly
Copy link
Contributor

@liggitt , thank you! This is ready to merge.

@devin-donnelly devin-donnelly merged commit 8b0b0c8 into kubernetes:release-1.5 Dec 4, 2016
@liggitt liggitt deleted the kubelet-authnz branch December 19, 2016 14:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants