Update kubelet authentication/authorization docs #1684
Conversation
liggitt
force-pushed
the
kubelet-authnz
branch
from
7c230e1
to
14dd707
Compare
liggitt
force-pushed
the
kubelet-authnz
branch
from
14dd707
to
4a0963b
Compare
|
cc @kubernetes/docs |
|
cc @kubernetes/sig-auth |
| name should be as depicted: | ||
|
|
||
| ``` | ||
| 02b50b05283e98dd0fd71db496ef01e8,kubelet-bootstrap,10001,"system:kubelet-bootstrap" |
There was a problem hiding this comment.
Do we have a set of authorization rules for this user group? I know that this requires the bootstrap token to only have access to specific sub resources (or it can auto approve its own request).
There was a problem hiding this comment.
this was just a move of the existing doc, and this is just an example group... there's nothing in-tree that actually uses that group name
There was a problem hiding this comment.
okay nvm. I've opened #1703
| By default, requests to the kubelet's HTTPS endpoint that are not rejected by other configured | ||
| authentication methods are treated as anonymous requests, and given a username of `system:anonymous` | ||
| and a group of `system:unauthenticated`. To disable anonymous access: | ||
| * start the kubelet with the `--anonymous-auth=false` flag |
There was a problem hiding this comment.
Does disabling this result in getting a user named "" or a 401?
|
question, looks good otherwise. |
liggitt
force-pushed
the
kubelet-authnz
branch
from
4a0963b
to
d8201b7
Compare
|
The docs content looks good, but the new docs should have a home under "reference" in the left nav. Can you add them to _data/reference.yml? |
liggitt
force-pushed
the
kubelet-authnz
branch
from
d8201b7
to
1abeeb6
Compare
k8s-ci-robot
added
the
cncf-cla: yes
|
added |
| ``` | ||
|
|
||
| ## kubelet configuration | ||
| To use request a client cert from the certificate request API, the kubelet needs a path to a kubeconfig file that contains the |
There was a problem hiding this comment.
Do you perhaps mean:
To request a client cert from the certificate request API, the kubelet needs a path to the kubeconfig file that contains the ...
The phrase To use request seems a bit odd.
There was a problem hiding this comment.
this was a straight move of the content in kubelet-tls-bootstrapping.md, I'd rather save content changes in that file for a follow-up
| An administrator can list CSRs with `kubectl get csr`, describe one in detail with `kubectl describe <name>`. There are | ||
| [currently no direct approve/deny commands](https://github.com/kubernetes/kubernetes/issues/30163) so an approver will need to update | ||
| the Status field directly. A rough example of how to do this in bash which should only be used until the porcelain merges is available | ||
| at https://github.com/gtank/csrctl. |
There was a problem hiding this comment.
Consider link-ifying that url:
at [https://github.com/gtank/csrctl](https://github.com/gtank/csrctl)
| * TOC | ||
| {:toc} | ||
|
|
||
| ## Summary |
There was a problem hiding this comment.
I don't think we use "Summary" anywhere. Go with "Overview".
|
|
||
| ## Summary | ||
|
|
||
| The kubelet's HTTPS endpoint exposes APIs which give access to data of varying sensitivity, |
There was a problem hiding this comment.
The kubelet -> a kubelet (there's more than one)
| ## Summary | ||
|
|
||
| The kubelet's HTTPS endpoint exposes APIs which give access to data of varying sensitivity, | ||
| and allow performing operations of varying power on the node and within containers. |
There was a problem hiding this comment.
By "varying power" do you mean "requiring stronger/weaker permissions"?
How about:
"and allow you to perform operations with varying levels of power on the node and within containers."
| * TOC | ||
| {:toc} | ||
|
|
||
| ## Summary |
|
|
||
| ## Summary | ||
|
|
||
| This document describes setting up TLS client certificate bootstrapping for kubelets. |
There was a problem hiding this comment.
"This document describes how to set up the TLS client certificate boostrapping for kubelets."
| ## Summary | ||
|
|
||
| This document describes setting up TLS client certificate bootstrapping for kubelets. | ||
| Kubernetes 1.4 introduces an experimental API for requesting certificates from a cluster-level |
There was a problem hiding this comment.
Should this text be updated for version 1.5?
There was a problem hiding this comment.
I'll leave that as a follow up for @mikedanese, this PR just moved the content to its own file
|
@liggitt , a few more comments. Would you mind resolving all the any outstanding comments before I can apply Docs LGTM? |
liggitt
force-pushed
the
kubelet-authnz
branch
from
1abeeb6
to
2940a24
Compare
|
@liggitt , thank you! This is ready to merge. |
Docs for Authenticated/Authorized access to kubelet API feature
This change is