我的书签
添加书签
移除书签Kubelet authentication/authorization
This document describes how to authenticate and authorize access to the kubelet’s HTTPS endpoint.
By default, requests to the kubelet’s HTTPS endpoint that are not rejected by other configuredauthentication methods are treated as anonymous requests, and given a username of and a group of system:unauthenticated.
To disable anonymous access and send 401 Unauthorized responses to unauthenticated requests:
- start the kubelet with the
—anonymous-auth=falseflag
To enable X509 client certificate authentication to the kubelet’s HTTPS endpoint:
- start the kubelet with the
—client-ca-fileflag, providing a CA bundle to verify client certificates with - see the apiserver authentication documentation for more details
- ensure the
authentication.k8s.io/v1beta1API group is enabled in the API server - start the kubelet with the
—authentication-token-webhookand the—kubeconfigflags - the kubelet calls the
TokenReviewAPI on the configured API server to determine user information from bearer tokens
Any request that is successfully authenticated (including an anonymous request) is then authorized. The default authorization mode is AlwaysAllow, which allows all requests.
There are many possible reasons to subdivide access to the kubelet API:
- anonymous auth is enabled, but anonymous users’ ability to call the kubelet API should be limited
- bearer token auth is enabled, but arbitrary API users’ (like service accounts) ability to call the kubelet API should be limited
To subdivide access to the kubelet API, delegate authorization to the API server:
- ensure the API group is enabled in the API server
- start the kubelet with the
—authorization-mode=Webhookand the—kubeconfigflags - the kubelet calls the
SubjectAccessReviewAPI on the configured API server to determine whether each request is authorized
The kubelet authorizes API requests using the same approach as the apiserver.
The resource and subresource is determined from the incoming request’s path:
| Kubelet API | resource | subresource |
|---|---|---|
| /stats/ | nodes | stats |
| /metrics/ | nodes | metrics |
| /logs/ | nodes | log |
| /spec/ | nodes | spec |
| all others | nodes | proxy |
The namespace and API group attributes are always an empty string, andthe resource name is always the name of the kubelet’s Node API object.
When running in this mode, ensure the user identified by the —kubelet-client-certificate and flags passed to the apiserver is authorized for the following attributes:
- verb=*, resource=nodes, subresource=proxy
- verb=*, resource=nodes, subresource=stats
- verb=*, resource=nodes, subresource=log
- verb=*, resource=nodes, subresource=metrics
此页是否对您有帮助?
