A kubelet’s HTTPS endpoint exposes APIs which give access to data of varying sensitivity, and allow you to perform operations with varying levels of power on the node and within containers.
This document describes how to authenticate and authorize access to the kubelet’s HTTPS endpoint.
By default, requests to the kubelet’s HTTPS endpoint that are not rejected by other configured
authentication methods are treated as anonymous requests, and given a username of
and a group of
To disable anonymous access and send
401 Unauthorized responses to unauthenticated requests:
To enable X509 client certificate authentication to the kubelet’s HTTPS endpoint:
--client-ca-file flag, providing a CA bundle to verify client certificates with
To enable API bearer tokens (including service account tokens) to be used to authenticate to the kubelet’s HTTPS endpoint:
authentication.k8s.io/v1beta1 API group is enabled in the API server
--authentication-token-webhook and the
TokenReview API on the configured API server to determine user information from bearer tokens
Any request that is successfully authenticated (including an anonymous request) is then authorized. The default authorization mode is
AlwaysAllow, which allows all requests.
There are many possible reasons to subdivide access to the kubelet API:
To subdivide access to the kubelet API, delegate authorization to the API server:
authorization.k8s.io/v1beta1 API group is enabled in the API server
--authorization-mode=Webhook and the
SubjectAccessReview API on the configured API server to determine whether each request is authorized
The kubelet authorizes API requests using the same request attributes approach as the apiserver.
The verb is determined from the incoming request’s HTTP verb:
The resource and subresource is determined from the incoming request’s path:
The namespace and API group attributes are always an empty string, and
the resource name is always the name of the kubelet’s
Node API object.
When running in this mode, ensure the user identified by the
flags passed to the apiserver is authorized for the following attributes:
Thanks for the feedback. If you have a specific, answerable question about how to use Kubernetes, ask it on Stack Overflow. Open an issue in the GitHub repo if you want to report a problem or suggest an improvement.