kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #33130 from tengqm/move-kubelet-authn-authz 

Move kubelet authn authz
pull/34172/head
Kubernetes Prow Robot 2022-06-07 19:11:49 -07:00 committed by GitHub
parent dcd4d21ecc a3ea9f4caf
commit 090803440d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
16 changed files with 24 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
content/en/docs/concepts/architecture/control-plane-node-communication.md
View File

@ -21,7 +21,7 @@ This document catalogs the communication paths between the control plane (apiser
Kubernetes has a "hub-and-spoke" API pattern. All API usage from nodes (or the pods they run) terminates at the apiserver. None of the other control plane components are designed to expose remote services. The apiserver is configured to listen for remote connections on a secure HTTPS port (typically 443) with one or more forms of client [authentication](/docs/reference/access-authn-authz/authentication/) enabled.
One or more forms of [authorization](/docs/reference/access-authn-authz/authorization/) should be enabled, especially if [anonymous requests](/docs/reference/access-authn-authz/authentication/#anonymous-requests) or [service account tokens](/docs/reference/access-authn-authz/authentication/#service-account-tokens) are allowed.
Nodes should be provisioned with the public root certificate for the cluster such that they can connect securely to the apiserver along with valid client credentials. A good approach is that the client credentials provided to the kubelet are in the form of a client certificate. See [kubelet TLS bootstrapping](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/) for automated provisioning of kubelet client certificates.
Nodes should be provisioned with the public root certificate for the cluster such that they can connect securely to the apiserver along with valid client credentials. A good approach is that the client credentials provided to the kubelet are in the form of a client certificate. See [kubelet TLS bootstrapping](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/) for automated provisioning of kubelet client certificates.
Pods that wish to connect to the apiserver can do so securely by leveraging a service account so that Kubernetes will automatically inject the public root certificate and a valid bearer token into the pod when it is instantiated.
The `kubernetes` service (in `default` namespace) is configured with a virtual IP address that is redirected (via kube-proxy) to the HTTPS endpoint on the apiserver.
@ -49,7 +49,7 @@ To verify this connection, use the `--kubelet-certificate-authority` flag to pro
If that is not possible, use [SSH tunneling](#ssh-tunnels) between the apiserver and kubelet if required to avoid connecting over an
untrusted or public network.
Finally, [Kubelet authentication and/or authorization](/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/) should be enabled to secure the kubelet API.
Finally, [Kubelet authentication and/or authorization](/docs/reference/access-authn-authz/kubelet-authn-authz/) should be enabled to secure the kubelet API.
### apiserver to nodes, pods, and services

4
content/en/docs/concepts/cluster-administration/_index.md
View File

@ -63,8 +63,8 @@ Before choosing a guide, here are some considerations:
### Securing the kubelet
* [Control Plane-Node communication](/docs/concepts/architecture/control-plane-node-communication/)
* [TLS bootstrapping](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/)
* [Kubelet authentication/authorization](/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/)
* [TLS bootstrapping](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/)
* [Kubelet authentication/authorization](/docs/reference/acess-authn-authz/kubelet-authn-authz/)
## Optional Cluster Services

2
content/en/docs/reference/access-authn-authz/_index.md
View File

@ -24,3 +24,5 @@ Reference documentation:
- Service accounts
- [Developer guide](/docs/tasks/configure-pod-container/configure-service-account/)
- [Administration](/docs/reference/access-authn-authz/service-accounts-admin/)
- [Kubelet Authentication & Authorization](/docs/reference/access-authn-authz/kubelet-authn-authz/)
- including kubelet [TLS bootstrapping](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/)

2
content/en/docs/reference/access-authn-authz/bootstrap-tokens.md
View File

@ -15,7 +15,7 @@ creating new clusters or joining new nodes to an existing cluster. It was built
to support [kubeadm](/docs/reference/setup-tools/kubeadm/), but can be used in other contexts
for users that wish to start clusters without `kubeadm`. It is also built to
work, via RBAC policy, with the
[Kubelet TLS Bootstrapping](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/) system.
[Kubelet TLS Bootstrapping](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/) system.
<!-- body -->

0
content/en/docs/reference/command-line-tools-reference/kubelet-authentication-authorization.md → content/en/docs/reference/access-authn-authz/kubelet-authn-authz.md
View File

0
content/en/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping.md → content/en/docs/reference/access-authn-authz/kubelet-tls-bootstrapping.md
View File

2
content/en/docs/reference/access-authn-authz/node.md
View File

@ -43,7 +43,7 @@ have the minimal set of permissions required to operate correctly.
In order to be authorized by the Node authorizer, kubelets must use a credential that identifies them as
being in the `system:nodes` group, with a username of `system:node:<nodeName>`.
This group and user name format match the identity created for each kubelet as part of
[kubelet TLS bootstrapping](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/).
[kubelet TLS bootstrapping](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/).
The value of `<nodeName>` **must** match precisely the name of the node as registered by the kubelet. By default, this is the host name as provided by `hostname`, or overridden via the [kubelet option](/docs/reference/command-line-tools-reference/kubelet/) `--hostname-override`. However, when using the `--cloud-provider` kubelet option, the specific hostname may be determined by the cloud provider, ignoring the local `hostname` and the `--hostname-override` option.
For specifics about how the kubelet determines the hostname, see the [kubelet options reference](/docs/reference/command-line-tools-reference/kubelet/).

2
content/en/docs/reference/access-authn-authz/rbac.md
View File

@ -798,7 +798,7 @@ This is commonly used by add-on API servers for unified authentication and autho
<td><b>system:node-bootstrapper</b></td>
<td>None</td>
<td>Allows access to the resources required to perform
<a href="/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/">kubelet TLS bootstrapping</a>.</td>
<a href="/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/">kubelet TLS bootstrapping</a>.</td>
</tr>
<tr>
<td><b>system:node-problem-detector</b></td>

4
content/en/docs/reference/command-line-tools-reference/feature-gates.md
View File

@ -1086,10 +1086,10 @@ Each feature gate is designed for enabling/disabling a specific feature:
[Bound Service Account Tokens](https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/1205-bound-service-account-tokens/README.md)
for more details.
- `RotateKubeletClientCertificate`: Enable the rotation of the client TLS certificate on the kubelet.
See [kubelet configuration](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubelet-configuration)
See [kubelet configuration](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/#kubelet-configuration)
for more details.
- `RotateKubeletServerCertificate`: Enable the rotation of the server TLS certificate on the kubelet.
See [kubelet configuration](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubelet-configuration)
See [kubelet configuration](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/#kubelet-configuration)
for more details.
- `RunAsGroup`: Enable control over the primary group ID set on the init
processes of containers.

4
content/en/docs/reference/setup-tools/kubeadm/implementation-details.md
View File

@ -219,7 +219,7 @@ Other API server flags that are set unconditionally are:
- `--insecure-port=0` to avoid insecure connections to the api server
- `--enable-bootstrap-token-auth=true` to enable the `BootstrapTokenAuthenticator` authentication module.
See [TLS Bootstrapping](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/) for more details
See [TLS Bootstrapping](/docs/reference/access-authn-authn/kubelet-tls-bootstrapping/) for more details
- `--allow-privileged` to `true` (required e.g. by kube proxy)
- `--requestheader-client-ca-file` to `front-proxy-ca.crt`
- `--enable-admission-plugins` to:
@ -266,7 +266,7 @@ The static Pod manifest for the controller manager is affected by following para
Other flags that are set unconditionally are:
- `--controllers` enabling all the default controllers plus `BootstrapSigner` and `TokenCleaner` controllers for TLS bootstrap.
See [TLS Bootstrapping](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/) for more details
See [TLS Bootstrapping](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/) for more details
- `--use-service-account-credentials` to `true`
- Flags for using certificates generated in previous steps:
- `--root-ca-file` to `ca.crt`

2
content/en/docs/reference/setup-tools/kubeadm/kubeadm-init.md
View File

@ -52,7 +52,7 @@ following steps:
1. Makes all the necessary configurations for allowing node joining with the
[Bootstrap Tokens](/docs/reference/access-authn-authz/bootstrap-tokens/) and
[TLS Bootstrap](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/)
[TLS Bootstrap](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/)
mechanism:
- Write a ConfigMap for making available all the information required

2
content/en/docs/setup/best-practices/certificates.md
View File

@ -22,7 +22,7 @@ This page explains the certificates that your cluster requires.
Kubernetes requires PKI for the following operations:
* Client certificates for the kubelet to authenticate to the API server
* Kubelet [server certificates](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#client-and-serving-certificates)
* Kubelet [server certificates](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/#client-and-serving-certificates)
for the API server to talk to the kubelets
* Server certificate for the API server endpoint
* Client certificates for administrators of the cluster to authenticate to the API server

2
content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md
View File

@ -276,7 +276,7 @@ By default, these serving certificate will expire after one year. Kubeadm sets t
`KubeletConfiguration` field `rotateCertificates` to `true`, which means that close
to expiration a new set of CSRs for the serving certificates will be created and must
be approved to complete the rotation. To understand more see
[Certificate Rotation](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#certificate-rotation).
[Certificate Rotation](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/#certificate-rotation).
If you are looking for a solution for automatic approval of these CSRs it is recommended
that you contact your cloud provider and ask if they have a CSR signer that verifies

11
content/en/docs/tasks/administer-cluster/securing-a-cluster.md
View File

@ -13,15 +13,10 @@ content_type: task
This document covers topics related to protecting a cluster from accidental or malicious access
and provides recommendations on overall security.
## {{% heading "prerequisites" %}}
* {{< include "task-tutorial-prereqs.md" >}} {{< version-check >}}
<!-- steps -->
## Controlling access to the Kubernetes API
@ -77,11 +72,13 @@ Consult the [authorization reference section](/docs/reference/access-authn-authz
## Controlling access to the Kubelet
Kubelets expose HTTPS endpoints which grant powerful control over the node and containers. By default Kubelets allow unauthenticated access to this API.
Kubelets expose HTTPS endpoints which grant powerful control over the node and containers.
By default Kubelets allow unauthenticated access to this API.
Production clusters should enable Kubelet authentication and authorization.
Consult the [Kubelet authentication/authorization reference](/docs/reference/command-line-tools-reference/kubelet-authentication-authorization) for more information.
Consult the [Kubelet authentication/authorization reference](/docs/reference/access-authn-authz/kubelet-authn-authz/)
for more information.
## Controlling the capabilities of a workload or user at runtime

2
content/en/docs/tasks/tls/certificate-rotation.md
View File

@ -28,7 +28,7 @@ default, these certificates are issued with one year expiration so that they do
not need to be renewed too frequently.
Kubernetes contains [kubelet certificate
rotation](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/),
rotation](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/),
that will automatically generate a new key and request a new certificate from
the Kubernetes API as the current certificate approaches expiration. Once the
new certificate is available, it will be used for authenticating connections to

6
static/_redirects
View File

@ -41,8 +41,8 @@
/docs/admin/ha-master-gce/ /docs/setup/production-environment/#production-control-plane 301
/docs/admin/ha-master-gce.md/ /docs/setup/production-environment/#production-control-plane 301
/docs/admin/high-availability/ /docs/setup/production-environment/tools/kubeadm/high-availability/ 301
/docs/admin/kubelet-authentication-authorization/ /docs/reference/command-line-tools-reference/kubelet-authentication-authorization/ 301
/docs/admin/kubelet-tls-bootstrapping/ /docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/ 301
/docs/admin/kubelet-authentication-authorization/ /docs/reference/access-authn-authz/kubelet-authn-authz/ 301
/docs/admin/kubelet-tls-bootstrapping/ /docs/reference/access-authn-authz/kubelet-tls-bootstrapping/ 301
/docs/admin/limitrange/ /docs/tasks/administer-cluster/cpu-memory-limit/ 301
/docs/admin/limitrange/Limits/ /docs/tasks/administer-cluster/limit-storage-consumption/#limitrange-to-limit-requests-for-storage/ 301
/docs/admin/master-node-communication/ /docs/concepts/architecture/master-node-communication/ 301
@ -252,7 +252,7 @@
/docs/tasks/administer-cluster/apply-resource-quota-limit/ /docs/tasks/administer-cluster/quota-api-object/ 301
/docs/tasks/administer-cluster/assign-pods-nodes/ /docs/tasks/configure-pod-container/assign-pods-nodes/ 301
/docs/tasks/administer-cluster/calico-network-policy/ /docs/tasks/administer-cluster/network-policy-provider/calico-network-policy/ 301
/docs/tasks/administer-cluster/certificate-rotation/ /docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/ 301
/docs/tasks/administer-cluster/certificate-rotation/ /docs/reference/access-authn-authz/kubelet-tls-bootstrapping/ 301
/docs/tasks/administer-cluster/cilium-network-policy/ /docs/tasks/administer-cluster/network-policy-provider/cilium-network-policy/ 301
/docs/tasks/administer-cluster/configure-namespace-isolation/ /docs/concepts/services-networking/network-policies/ 301
/docs/tasks/administer-cluster/configure-multiple-schedulers/ /docs/tasks/extend-kubernetes/configure-multiple-schedulers/ 301