Get Started

Ready to get your hands dirty? Build a simple Kubernetes cluster that runs "Hello World" for Node.js.

Documentation

Learn how to use Kubernetes with the use of walkthroughs, samples, and reference documentation. You can even help contribute to the docs!

Community

If you need help, you can connect with other Kubernetes users and the Kubernetes authors, attend community events, and watch video presentations from around the web.

Blog

Read the latest news for Kubernetes and the containers space in general, and get technical how-tos hot off the presses.

Interested in hacking on the core Kubernetes code base?

View On Github

Explore the community

Reference Documentation

Design docs, concept definitions, and references for APIs and CLIs.

Documentation for Kubernetes v1.5 is no longer actively maintained. The version you are currently viewing is a static snapshot. For up-to-date documentation, see the latest version.

Kubernetes Resource Types (New Docs Style)

Version 1.5

Kubernetes API (New Docs Style)

Version 1.5

Kubectl Commands (New Docs Style)

Version 1.5

Kubernetes API

Kubernetes API Overview

Accessing the API

Overview

Authenticating

Using Authorization Plugins

Using Admission Controllers

Managing Service Accounts

Kubernetes API Operations

Kubernetes API Definitions

Well-Known Labels, Annotations and Taints

Kubernetes API Swagger Spec

Autoscaling API

Autoscaling API Operations

Autoscaling API Definitions

Batch API

Batch API Operations

Batch API Definitions

Apps API

Apps API Operations

Apps API Definitions

Extensions API

Extensions API Operations

Extensions API Definitions

kubectl CLI

kubectl Overview

kubectl for Docker Users

kubectl Usage Conventions

kubectl Commands

kubectl certificate approve

kubectl certificate deny

kubectl cluster-info

kubectl cluster-info dump

kubectl completion

kubectl config

kubectl config current-context

kubectl config delete-cluster

kubectl config delete-context

kubectl config get-clusters

kubectl config get-contexts

kubectl config set-cluster

kubectl config set-context

kubectl config set-credentials

kubectl config set

kubectl config unset

kubectl config use-context

kubectl create configmap

kubectl create deployment

kubectl create namespace

kubectl create quota

kubectl create secret docker-registry

kubectl create secret

kubectl create secret generic

kubectl create secret tls

kubectl create serviceaccount

kubectl create service clusterip

kubectl create service loadbalancer

kubectl create service nodeport

kubectl rolling-update

kubectl rollout

kubectl rollout history

kubectl rollout pause

kubectl rollout resume

kubectl rollout status

kubectl set resources

Superseded and Deprecated Commands

kubectl stop

Kubernetes Components

kube-apiserver

kube-controller-manager

kube-proxy

kube-scheduler

kubelet

Overview

Master-Node communication

TLS bootstrapping

Kubelet authentication/authorization

Glossary

Annotations

Daemon Sets

Deployments

Horizontal Pod Autoscaling

Pod Security Policies

Replica Sets

Replication Controller

Third Party Resources

Volumes

Kubernetes Design Docs

Kubernetes Architecture

Kubernetes Design Overview

Kubernetes Identity and Access Management

Kubernetes OpenVSwitch GRE/VxLAN networking

Security Contexts

Security in Kubernetes

Edit This Page

Kubelet authentication/authorization

Overview
Kubelet authentication
Kubelet authorization

Overview

A kubelet’s HTTPS endpoint exposes APIs which give access to data of varying sensitivity, and allow you to perform operations with varying levels of power on the node and within containers.

This document describes how to authenticate and authorize access to the kubelet’s HTTPS endpoint.

Kubelet authentication

By default, requests to the kubelet’s HTTPS endpoint that are not rejected by other configured authentication methods are treated as anonymous requests, and given a username of system:anonymous and a group of system:unauthenticated.

To disable anonymous access and send 401 Unauthorized responses to unauthenticated requests:

start the kubelet with the --anonymous-auth=false flag

To enable X509 client certificate authentication to the kubelet’s HTTPS endpoint:

start the kubelet with the --client-ca-file flag, providing a CA bundle to verify client certificates with
start the apiserver with --kubelet-client-certificate and --kubelet-client-key flags
see the apiserver authentication documentation for more details

To enable API bearer tokens (including service account tokens) to be used to authenticate to the kubelet’s HTTPS endpoint:

ensure the authentication.k8s.io/v1beta1 API group is enabled in the API server
start the kubelet with the --authentication-token-webhook, --kubeconfig, and --require-kubeconfig flags
the kubelet calls the TokenReview API on the configured API server to determine user information from bearer tokens

Kubelet authorization

Any request that is successfully authenticated (including an anonymous request) is then authorized. The default authorization mode is AlwaysAllow, which allows all requests.

There are many possible reasons to subdivide access to the kubelet API:

anonymous auth is enabled, but anonymous users’ ability to call the kubelet API should be limited
bearer token auth is enabled, but arbitrary API users’ (like service accounts) ability to call the kubelet API should be limited
client certificate auth is enabled, but only some of the client certificates signed by the configured CA should be allowed to use the kubelet API

To subdivide access to the kubelet API, delegate authorization to the API server:

ensure the authorization.k8s.io/v1beta1 API group is enabled in the API server
start the kubelet with the --authorization-mode=Webhook, --kubeconfig, and --require-kubeconfig flags
the kubelet calls the SubjectAccessReview API on the configured API server to determine whether each request is authorized

The kubelet authorizes API requests using the same request attributes approach as the apiserver.

The verb is determined from the incoming request’s HTTP verb:

HTTP verb	request verb
POST	create
GET, HEAD	get
PUT	update
PATCH	patch
DELETE	delete

The resource and subresource is determined from the incoming request’s path:

Kubelet API	resource	subresource
/stats/*	nodes	stats
/metrics/*	nodes	metrics
/logs/*	nodes	log
/spec/*	nodes	spec
all others	nodes	proxy

The namespace and API group attributes are always an empty string, and the resource name is always the name of the kubelet’s Node API object.

When running in this mode, ensure the user identified by the --kubelet-client-certificate and --kubelet-client-key flags passed to the apiserver is authorized for the following attributes:

verb=*, resource=nodes, subresource=proxy
verb=*, resource=nodes, subresource=stats
verb=*, resource=nodes, subresource=log
verb=*, resource=nodes, subresource=spec
verb=*, resource=nodes, subresource=metrics

Create an Issue Edit this Page