From b614d3b2228a19a5845803172a6aeeb5ca0caf78 Mon Sep 17 00:00:00 2001 From: Kelsey Hightower Date: Sun, 11 Sep 2016 07:31:04 -0700 Subject: [PATCH] add details regarding the auth token --- docs/04-kubernetes-controller.md | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/docs/04-kubernetes-controller.md b/docs/04-kubernetes-controller.md index 6d31545..886a4d6 100644 --- a/docs/04-kubernetes-controller.md +++ b/docs/04-kubernetes-controller.md @@ -60,16 +60,27 @@ sudo mv kube-apiserver kube-controller-manager kube-scheduler kubectl /usr/bin/ ##### Authentication -[Token based authentication](http://kubernetes.io/docs/admin/authentication) will be used to limit access to Kubernetes API. +[Token based authentication](http://kubernetes.io/docs/admin/authentication) will be used to limit access to the Kubernetes API. The authentication token is used by the following components: + +* The Kubernetes kubelet which runs on the worker nodes +* The kubectl commandline tool + +The other components, mainly the scheduler and controller manager, access the Kubernetes API server locally over the insecure API port which does not require authentication. The insecure port is only enabled for local access. + +Download the example token file: ``` wget https://raw.githubusercontent.com/kelseyhightower/kubernetes-the-hard-way/master/token.csv ``` +Review the example token file and replace the default token. + ``` cat token.csv ``` +Move the token file into the Kubernetes configuration directory so it can be read by the Kubernetes API server. + ``` sudo mv token.csv /var/lib/kubernetes/ ``` @@ -78,14 +89,20 @@ sudo mv token.csv /var/lib/kubernetes/ Attribute-Based Access Control (ABAC) will be used to authorize access to the Kubernetes API. In this lab ABAC will be setup using the Kubernetes policy file backend as documented in the [Kubernetes authorization guide](http://kubernetes.io/docs/admin/authorization). +Download the example authorization policy file: + ``` wget https://raw.githubusercontent.com/kelseyhightower/kubernetes-the-hard-way/master/authorization-policy.jsonl ``` +Review the example authorization policy file. No changes are required. + ``` cat authorization-policy.jsonl ``` +Move the authorization policy file into the Kubernetes configuration directory so it can be read by the Kubernetes API server. + ``` sudo mv authorization-policy.jsonl /var/lib/kubernetes/ ```