Merge pull request #48412 from vinayakankugoyal/kep2862impl

KEP-2862: Fine-grained Authz for Kubelet API.
2024-10-23 00:22:52 +01:00 · 2024-10-23 00:22:52 +01:00 · b92deb464a
parent e3f036804f b6086ca952
commit b92deb464a
2 changed files with 49 additions and 0 deletions
--- a/content/en/docs/reference/access-authn-authz/kubelet-authn-authz.md
+++ b/content/en/docs/reference/access-authn-authz/kubelet-authn-authz.md
@ -85,3 +85,38 @@ flags passed to the apiserver is authorized for the following attributes:
 * verb=\*, resource=nodes, subresource=log
 * verb=\*, resource=nodes, subresource=spec
 * verb=\*, resource=nodes, subresource=metrics
+
+### Fine-grained authorization
+
+{{< feature-state feature_gate_name="KubeletFineGrainedAuthz" >}}
+
+When the feature gate `KubeletFineGrainedAuthz` is enabled kubelet performs a
+fine-grained check before falling back to the `proxy` subresource for the `/pods`,
+`/runningPods`, `/configz` and `/healthz` endpoints. The resource and subresource 
+are determined from the incoming request's path:
+
+Kubelet API   | resource | subresource
+--------------|----------|------------
+/stats/\*     | nodes    | stats
+/metrics/\*   | nodes    | metrics
+/logs/\*      | nodes    | log
+/spec/\*      | nodes    | spec
+/pods         | nodes    | pods, proxy
+/runningPods/ | nodes    | pods, proxy
+/healthz      | nodes    | healthz, proxy
+/configz      | nodes    | configz, proxy 
+*all others*  | nodes    | proxy
+
+
+When the feature-gate `KubeletFineGrainedAuthz` is enabled, ensure the user
+identified by the `--kubelet-client-certificate` and `--kubelet-client-key`
+flags passed to the API server is authorized for the following attributes:
+
+* verb=\*, resource=nodes, subresource=proxy
+* verb=\*, resource=nodes, subresource=stats
+* verb=\*, resource=nodes, subresource=log
+* verb=\*, resource=nodes, subresource=spec
+* verb=\*, resource=nodes, subresource=metrics
+* verb=\*, resource=nodes, subresource=configz
+* verb=\*, resource=nodes, subresource=healthz
+* verb=\*, resource=nodes, subresource=pods
--- a/content/en/docs/reference/command-line-tools-reference/feature-gates/kubelet-finegrained-authz.md
+++ b/content/en/docs/reference/command-line-tools-reference/feature-gates/kubelet-finegrained-authz.md
@ -0,0 +1,14 @@
+---
+title: KubeletFineGrainedAuthz
+content_type: feature_gate
+_build:
+  list: never
+  render: false
+
+stages:
+  - stage: alpha 
+    defaultValue: false
+    fromVersion: "1.32"
+---
+Enable [fine-grained authorization](/docs/reference/access-authn-authz/kubelet-authn-authz/#fine-grained-authorization) 
+for the kubelet's HTTP(s) API.