edits to accessing-the-api.md to correct formatting and other minor issues
Signed-off-by: mikebrow <brownwm@us.ibm.com>pull/315/head
mikebrow
parent
1cdec21194
commit
4fcfce63a7
|
|
@ -17,20 +17,23 @@ there is one of these running on a single kubernetes-master node.
|
||||||
|
|
||||||
By default the Kubernetes APIserver serves HTTP on 2 ports:
|
By default the Kubernetes APIserver serves HTTP on 2 ports:
|
||||||
|
|
||||||
1. Localhost Port
|
1. `Localhost Port`:
|
||||||
- serves HTTP
|
|
||||||
- default is port 8080, change with `--insecure-port` flag.
|
- serves HTTP
|
||||||
- defaults IP is localhost, change with `--insecure-bind-address` flag.
|
- default is port 8080, change with `--insecure-port` flag.
|
||||||
- no authentication or authorization checks in HTTP
|
- defaults IP is localhost, change with `--insecure-bind-address` flag.
|
||||||
- protected by need to have host access
|
- no authentication or authorization checks in HTTP
|
||||||
2. Secure Port
|
- protected by need to have host access
|
||||||
- default is port 6443, change with `--secure-port` flag.
|
2. `Secure Port`:
|
||||||
- default IP is first non-localhost network interface, change with `--bind-address` flag.
|
|
||||||
- serves HTTPS. Set cert with `--tls-cert-file` and key with `--tls-private-key-file` flag.
|
- default is port 6443, change with `--secure-port` flag.
|
||||||
- uses token-file or client-certificate based [authentication](/docs/admin/authentication).
|
- default IP is first non-localhost network interface, change with `--bind-address` flag.
|
||||||
- uses policy-based [authorization](/docs/admin/authorization).
|
- serves HTTPS. Set cert with `--tls-cert-file` and key with `--tls-private-key-file` flag.
|
||||||
3. Removed: ReadOnly Port
|
- uses token-file or client-certificate based [authentication](/docs/admin/authentication).
|
||||||
- For security reasons, this had to be removed. Use the [service account](/docs/user-guide/service-accounts) feature instead.
|
- uses policy-based [authorization](/docs/admin/authorization).
|
||||||
|
3. Removed: `ReadOnly Port`
|
||||||
|
|
||||||
|
- For security reasons, this had to be removed. Use the [service account](/docs/user-guide/service-accounts) feature instead.
|
||||||
|
|
||||||
## Proxies and Firewall rules
|
## Proxies and Firewall rules
|
||||||
|
|
||||||
|
|
@ -39,35 +42,31 @@ on the same machine as the apiserver process. The proxy serves HTTPS protected
|
||||||
by Basic Auth on port 443, and proxies to the apiserver on localhost:8080. In
|
by Basic Auth on port 443, and proxies to the apiserver on localhost:8080. In
|
||||||
these configurations the secure port is typically set to 6443.
|
these configurations the secure port is typically set to 6443.
|
||||||
|
|
||||||
A firewall rule is typically configured to allow external HTTPS access to port 443.
|
A firewall rule is typically configured to allow external HTTPS access to port
|
||||||
|
443.
|
||||||
|
|
||||||
The above are defaults and reflect how Kubernetes is deployed to Google Compute Engine using
|
The above are defaults and reflect how Kubernetes is deployed to Google Compute
|
||||||
kube-up.sh. Other cloud providers may vary.
|
Engine using `kube-up.sh.` Other cloud providers may vary.
|
||||||
|
|
||||||
## Use Cases vs IP:Ports
|
## Use Cases vs IP:Ports
|
||||||
|
|
||||||
There are three differently configured serving ports because there are a
|
There are differently configured serving ports to serve a variety of uses cases:
|
||||||
variety of uses cases:
|
|
||||||
|
|
||||||
1. Clients outside of a Kubernetes cluster, such as human running `kubectl`
|
1. Clients outside of a Kubernetes cluster, such as human running `kubectl`
|
||||||
on desktop machine. Currently, accesses the Localhost Port via a proxy (nginx)
|
on a desktop machine. Currently, accesses the Localhost Port via a proxy (nginx)
|
||||||
running on the `kubernetes-master` machine. The proxy can use cert-based authentication
|
running on the `kubernetes-master` machine. The proxy can use cert-based
|
||||||
or token-based authentication.
|
authentication or token-based authentication.
|
||||||
2. Processes running in Containers on Kubernetes that need to read from
|
2. Processes running in Containers on Kubernetes that need to read from
|
||||||
the apiserver. Currently, these can use a [service account](/docs/user-guide/service-accounts).
|
the apiserver. Currently, these can use a [service account](/docs/user-guide/service-accounts).
|
||||||
3. Scheduler and Controller-manager processes, which need to do read-write
|
3. Scheduler and Controller-manager processes, which need to do read-write
|
||||||
API operations, using service accounts to avoid the need to be co-located.
|
API operations, using service accounts to avoid the need to be co-located.
|
||||||
4. Kubelets, which need to do read-write API operations and are necessarily
|
4. Kubelets, which need to do read-write API operations and are necessarily
|
||||||
on different machines than the apiserver. Kubelet uses the Secure Port
|
on different machines than the apiserver. Kubelet uses the Secure Port
|
||||||
to get their pods, to find the services that a pod can see, and to
|
to get their pods, to find the services that a pod can see, and to
|
||||||
write events. Credentials are distributed to kubelets at cluster
|
write events. Credentials are distributed to kubelets at cluster
|
||||||
setup time. Kubelet and kube-proxy can use cert-based authentication or token-based
|
setup time. Kubelet and kube-proxy can use cert-based authentication or
|
||||||
authentication.
|
token-based authentication.
|
||||||
|
|
||||||
## Expected changes
|
## Expected changes
|
||||||
|
|
||||||
- Policy will limit the actions kubelets can do via the authed port.
|
- Policy will limit the actions kubelets can do via the authed port.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue