From 1d116cb34e4323fceaab5b1d358cd9fe7dd3193a Mon Sep 17 00:00:00 2001
From: Kelsey Hightower <kelsey.hightower@gmail.com>
Date: Sat, 9 Jul 2016 09:28:12 -0700
Subject: [PATCH] update kubernetes controller docs

---
 docs/04-kubernetes-controller.md | 44 ++++++++++++++++++++------------
 1 file changed, 28 insertions(+), 16 deletions(-)

diff --git a/docs/04-kubernetes-controller.md b/docs/04-kubernetes-controller.md
index 26c2368..402b680 100644
--- a/docs/04-kubernetes-controller.md
+++ b/docs/04-kubernetes-controller.md
@@ -65,10 +65,32 @@ chmod +x kube-apiserver kube-controller-manager kube-scheduler kubectl
 sudo mv kube-apiserver kube-controller-manager kube-scheduler kubectl /usr/bin/
 ```
 
-#### Kubernetes API Server
+### Kubernetes API Server
+
+#### Setup Authentication and Authorization
+
+##### Authentication
+
+[Token based authentication](http://kubernetes.io/docs/admin/authentication) will be used to limit access to Kubernetes API.
 
 ```
-wget https://storage.googleapis.com/hightowerlabs/authorization-policy.jsonl
+wget https://raw.githubusercontent.com/kelseyhightower/kubernetes-the-hard-way/master/token.csv
+```
+
+```
+cat token.csv
+```
+
+```
+sudo mv token.csv /var/lib/kubernetes/
+```
+
+##### Authorization
+
+Attribute-Based Access Control (ABAC) will be used to authorize access to the Kubernetes API. In this lab ABAC will be setup using the Kuberentes policy file backend as documented in the [Kubernetes authorization guide](http://kubernetes.io/docs/admin/authorization).
+
+```
+wget https://raw.githubusercontent.com/kelseyhightower/kubernetes-the-hard-way/master/authorization-policy.jsonl
 ```
 
 ```
@@ -79,17 +101,7 @@ cat authorization-policy.jsonl
 sudo mv authorization-policy.jsonl /var/lib/kubernetes/
 ```
 
-```
-wget https://storage.googleapis.com/hightowerlabs/token.csv
-```
-
-```
-cat token.csv
-```
-
-```
-sudo mv token.csv /var/lib/kubernetes/
-```
+### Create the systemd unit file 
 
 Capture the internal IP address:
 
@@ -154,7 +166,7 @@ sudo systemctl start kube-apiserver
 sudo systemctl status kube-apiserver --no-pager
 ```
 
-#### Kubernetes Controller Manager
+### Kubernetes Controller Manager
 
 ```
 cat > kube-controller-manager.service <<"EOF"
@@ -200,7 +212,7 @@ sudo systemctl start kube-controller-manager
 sudo systemctl status kube-controller-manager --no-pager
 ```
 
-#### Kubernetes Scheduler
+### Kubernetes Scheduler
 
 ```
 cat > kube-scheduler.service <<"EOF"
@@ -240,7 +252,7 @@ sudo systemctl status kube-scheduler --no-pager
 ```
 
 
-#### Verification 
+### Verification
 
 ```
 kubectl get componentstatuses