---
title: kubelet 认证/鉴权
weight: 110
---
<!--
reviewers:
- liggitt
title: Kubelet authentication/authorization
weight: 110
-->

<!--
## Overview
-->
## 概述  {#overview}

<!--
A kubelet's HTTPS endpoint exposes APIs which give access to data of varying sensitivity,
and allow you to perform operations with varying levels of power on the node and within containers.
-->
kubelet 的 HTTPS 端点公开了一些 API，这些 API 可以访问敏感度不同的数据，
并允许你在节点上和容器内以不同级别的权限执行操作。

<!--
This document describes how to authenticate and authorize access to the kubelet's HTTPS endpoint.
-->
本文档介绍了如何对 kubelet 的 HTTPS 端点的访问进行认证和鉴权。

<!--
## Kubelet authentication
-->
## kubelet 身份认证   {#kubelet-authentication}

<!--
By default, requests to the kubelet's HTTPS endpoint that are not rejected by other configured
authentication methods are treated as anonymous requests, and given a username of `system:anonymous`
and a group of `system:unauthenticated`.
-->
默认情况下，未被已配置的其他身份认证方法拒绝的对 kubelet 的 HTTPS 端点的请求会被视为匿名请求，
并被赋予 `system:anonymous` 用户名和 `system:unauthenticated` 组。

<!--
To disable anonymous access and send `401 Unauthorized` responses to unauthenticated requests:
-->
要禁用匿名访问并向未经身份认证的请求发送 `401 Unauthorized` 响应，请执行以下操作：

<!--
* start the kubelet with the `--anonymous-auth=false` flag
-->
* 带 `--anonymous-auth=false` 标志启动 kubelet

<!--
To enable X509 client certificate authentication to the kubelet's HTTPS endpoint:
-->
要对 kubelet 的 HTTPS 端点启用 X509 客户端证书认证：

<!--
* start the kubelet with the `--client-ca-file` flag, providing a CA bundle to verify client certificates with
* start the apiserver with `--kubelet-client-certificate` and `--kubelet-client-key` flags
* see the [apiserver authentication documentation](/docs/reference/access-authn-authz/authentication/#x509-client-certificates) for more details
-->
* 带 `--client-ca-file` 标志启动 kubelet，提供一个 CA 证书包以供验证客户端证书
* 带 `--kubelet-client-certificate` 和 `--kubelet-client-key` 标志启动 API 服务器
* 有关更多详细信息，请参见
  [API 服务器身份认证文档](/zh-cn/docs/reference/access-authn-authz/authentication/#x509-client-certificates)

<!--
To enable API bearer tokens (including service account tokens) to be used to authenticate to the kubelet's HTTPS endpoint:
-->
要启用 API 持有者令牌（包括服务账号令牌）以对 kubelet 的 HTTPS 端点进行身份认证，请执行以下操作：

<!--
* ensure the `authentication.k8s.io/v1beta1` API group is enabled in the API server
* start the kubelet with the `--authentication-token-webhook` and `--kubeconfig` flags
* the kubelet calls the `TokenReview` API on the configured API server to determine user information from bearer tokens
-->
* 确保在 API 服务器中启用了 `authentication.k8s.io/v1beta1` API 组
* 带 `--authentication-token-webhook` 和 `--kubeconfig` 标志启动 kubelet
* kubelet 调用已配置的 API 服务器上的 `TokenReview` API，以根据持有者令牌确定用户信息

<!--
## Kubelet authorization
-->
## kubelet 鉴权   {#kubelet-authorization}

<!--
Any request that is successfully authenticated (including an anonymous request) is then authorized. The default authorization mode is `AlwaysAllow`, which allows all requests.
-->
任何成功通过身份认证的请求（包括匿名请求）之后都会被鉴权。
默认的鉴权模式为 `AlwaysAllow`，它允许所有请求。

<!--
There are many possible reasons to subdivide access to the kubelet API:
-->
细分对 kubelet API 的访问权限可能有多种原因：

<!--
* anonymous auth is enabled, but anonymous users' ability to call the kubelet API should be limited
* bearer token auth is enabled, but arbitrary API users' (like service accounts) ability to call the kubelet API should be limited
* client certificate auth is enabled, but only some of the client certificates signed by the configured CA should be allowed to use the kubelet API
-->
* 启用了匿名身份认证，但是应限制匿名用户调用 kubelet API 的能力
* 启用了持有者令牌认证，但应限制任意 API 用户（如服务账号）调用 kubelet API 的能力
* 启用了客户端证书身份认证，但仅应允许已配置的 CA 签名的某些客户端证书使用 kubelet API

<!--
To subdivide access to the kubelet API, delegate authorization to the API server:
-->
要细分对 kubelet API 的访问权限，请将鉴权委派给 API 服务器：

<!--
* ensure the `authorization.k8s.io/v1beta1` API group is enabled in the API server
* start the kubelet with the `--authorization-mode=Webhook` and the `--kubeconfig` flags
* the kubelet calls the `SubjectAccessReview` API on the configured API server to determine whether each request is authorized
-->
* 确保在 API 服务器中启用了 `authorization.k8s.io/v1beta1` API 组
* 带 `--authorization-mode=Webhook` 和 `--kubeconfig` 标志启动 kubelet
* kubelet 调用已配置的 API 服务器上的 `SubjectAccessReview` API，
  以确定每个请求是否得到鉴权

<!--
The kubelet authorizes API requests using the same [request attributes](/docs/reference/access-authn-authz/authorization/#review-your-request-attributes) approach as the apiserver.
-->
kubelet 使用与 API
服务器相同的[请求属性](/zh-cn/docs/reference/access-authn-authz/authorization/#review-your-request-attributes)方法对
API 请求执行鉴权。

<!--
The verb is determined from the incoming request's HTTP verb:
-->
请求的动词根据传入请求的 HTTP 动词确定：

<!--
HTTP verb | request verb
-->
HTTP 动词 | 请求动词
----------|---------------
POST      | create
GET, HEAD | get
PUT       | update
PATCH     | patch
DELETE    | delete

<!--
The resource and subresource is determined from the incoming request's path:
-->
资源和子资源是根据传入请求的路径确定的：

<!--
Kubelet API         | resource | subresource
--------------------|----------|------------
/stats/\*           | nodes    | stats
/metrics/\*         | nodes    | metrics
/logs/\*            | nodes    | log
/spec/\*            | nodes    | spec
/checkpoint/\*      | nodes    | checkpoint
*all others*        | nodes    | proxy
-->
kubelet API  | 资源 | 子资源
-------------|----------|------------
/stats/\*     | nodes    | stats
/metrics/\*   | nodes    | metrics
/logs/\*      | nodes    | log
/spec/\*      | nodes    | spec
/checkpoint/\* | nodes   | checkpoint
**其它所有**  | nodes    | proxy

<!--
The namespace and API group attributes are always an empty string, and
the resource name is always the name of the kubelet's `Node` API object.
-->
名字空间和 API 组属性始终是空字符串，
资源名称始终是 kubelet 的 `Node` API 对象的名称。

<!--
When running in this mode, ensure the user identified by the `--kubelet-client-certificate` and `--kubelet-client-key`
flags passed to the apiserver is authorized for the following attributes:
-->
在此模式下运行时，请确保传递给 API 服务器的由 `--kubelet-client-certificate` 和
`--kubelet-client-key` 标志标识的用户具有以下属性的鉴权：

* verb=\*, resource=nodes, subresource=proxy
* verb=\*, resource=nodes, subresource=stats
* verb=\*, resource=nodes, subresource=log
* verb=\*, resource=nodes, subresource=spec
* verb=\*, resource=nodes, subresource=metrics

<!--
### Fine-grained authorization
-->
### 细粒度鉴权   {#fine-grained-authorization}

{{< feature-state feature_gate_name="KubeletFineGrainedAuthz" >}}

<!--
When the feature gate `KubeletFineGrainedAuthz` is enabled kubelet performs a
fine-grained check before falling back to the `proxy` subresource for the `/pods`,
`/runningPods`, `/configz` and `/healthz` endpoints. The resource and subresource 
are determined from the incoming request's path:
-->
当特性门控 `KubeletFineGrainedAuthz` 被启用时，kubelet 处理对
`/pods`、`/runningPods`、`/configz` 和 `/healthz` 等端点的请求时，在回退到 `proxy` 子资源之前，
会执行一次细粒度的检查。资源和子资源是根据传入请求的路径确定的：

<!--
Kubelet API   | resource | subresource
--------------|----------|------------
/stats/\*     | nodes    | stats
/metrics/\*   | nodes    | metrics
/logs/\*      | nodes    | log
/pods         | nodes    | pods, proxy
/runningPods/ | nodes    | pods, proxy
/healthz      | nodes    | healthz, proxy
/configz      | nodes    | configz, proxy
*all others*  | nodes    | proxy
-->
kubelet API   | 资源      | 子资源
--------------|----------|------------
/stats/\*     | nodes    | stats
/metrics/\*   | nodes    | metrics
/logs/\*      | nodes    | log
/pods         | nodes    | pods, proxy
/runningPods/ | nodes    | pods, proxy
/healthz      | nodes    | healthz, proxy
/configz      | nodes    | configz, proxy
**其他所有**   | nodes    | proxy

<!--
When the feature-gate `KubeletFineGrainedAuthz` is enabled, ensure the user
identified by the `--kubelet-client-certificate` and `--kubelet-client-key`
flags passed to the API server is authorized for the following attributes:
-->
当特性门控 `KubeletFineGrainedAuthz` 被启用时，请确保经传递给 API 服务器的
`--kubelet-client-certificate` 和 `--kubelet-client-key` 标志所鉴别的用户被授权了以下属性：

* verb=\*, resource=nodes, subresource=proxy
* verb=\*, resource=nodes, subresource=stats
* verb=\*, resource=nodes, subresource=log
* verb=\*, resource=nodes, subresource=metrics
* verb=\*, resource=nodes, subresource=configz
* verb=\*, resource=nodes, subresource=healthz
* verb=\*, resource=nodes, subresource=pods

<!--
If [RBAC authorization](/docs/reference/access-authn-authz/rbac/) is used,
enabling this gate also ensure that the builtin `system:kubelet-api-admin` ClusterRole
is updated with permissions to access all the above mentioned subresources.
-->
如果使用的是 [RBAC 鉴权](/zh-cn/docs/reference/access-authn-authz/rbac/)，
那么启用此特性门控时，系统还会自动更新内置的 `system:kubelet-api-admin ClusterRole`，
确保其具备访问上述所有子资源的权限。