Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
3bdb51e7
Commit
3bdb51e7
authored
Sep 09, 2015
by
Jimmy Cuadra
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Clarify authentication methods for k8s components.
parent
c08ee667
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
4 additions
and
7 deletions
+4
-7
accessing-the-api.md
docs/admin/accessing-the-api.md
+4
-7
No files found.
docs/admin/accessing-the-api.md
View file @
3bdb51e7
...
...
@@ -81,7 +81,8 @@ There are three differently configured serving ports because there are a
variety of uses cases:
1.
Clients outside of a Kubernetes cluster, such as human running
`kubectl`
on desktop machine. Currently, accesses the Localhost Port via a proxy (nginx)
running on the
`kubernetes-master`
machine. Proxy uses bearer token authentication.
running on the
`kubernetes-master`
machine. The proxy can use cert-based authentication
or token-based authentication.
2.
Processes running in Containers on Kubernetes that need to read from
the apiserver. Currently, these can use a
[
service account
](
../user-guide/service-accounts.md
)
.
3.
Scheduler and Controller-manager processes, which need to do read-write
...
...
@@ -92,18 +93,14 @@ variety of uses cases:
on different machines than the apiserver. Kubelet uses the Secure Port
to get their pods, to find the services that a pod can see, and to
write events. Credentials are distributed to kubelets at cluster
setup time. Kubelets use cert-based auth, while kube-proxy uses token-based auth.
setup time. Kubelet and kube-proxy can use cert-based authentication or token-based
authentication.
## Expected changes
-
Policy will limit the actions kubelets can do via the authed port.
-
Scheduler and Controller-manager will use the Secure Port too. They
will then be able to run on different machines than the apiserver.
-
Clients, like kubectl, will all support token-based auth, and the
Localhost will no longer be needed, and will not be the default.
However, the localhost port may continue to be an option for
installations that want to do their own auth proxy.
<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
[

]()
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment