A kubelet's HTTPS endpoint exposes APIs which give access to data of varying sensitivity, and allow you to perform operations with varying levels of power on the node and within containers.
This document describes how to authenticate and authorize access to the kubelet's HTTPS endpoint.
By default, requests to the kubelet's HTTPS endpoint that are not rejected by other configured
authentication methods are treated as anonymous requests, and given a username of system:anonymous
and a group of system:unauthenticated.
To disable anonymous access and send 401 Unauthorized responses to unauthenticated requests:
--anonymous-auth=false flagTo enable X509 client certificate authentication to the kubelet's HTTPS endpoint:
--client-ca-file flag, providing a CA bundle to verify client certificates with--kubelet-client-certificate and --kubelet-client-key flagsTo enable API bearer tokens (including service account tokens) to be used to authenticate to the kubelet's HTTPS endpoint:
authentication.k8s.io/v1 API group is enabled in the API server--authentication-token-webhook and --kubeconfig flagsTokenReview API on the configured API server to determine user information from bearer tokensAny request that is successfully authenticated (including an anonymous request) is then authorized. The default authorization mode is AlwaysAllow, which allows all requests.
There are many possible reasons to subdivide access to the kubelet API:
To subdivide access to the kubelet API, delegate authorization to the API server:
authorization.k8s.io/v1 API group is enabled in the API server--authorization-mode=Webhook and the --kubeconfig flagsSubjectAccessReview API on the configured API server to determine whether each request is authorizedThe kubelet authorizes API requests using the same request attributes approach as the apiserver.
The verb is determined from the incoming request's HTTP verb:
| HTTP verb | request verb |
|---|---|
| POST | create |
| GET, HEAD | get |
| PUT | update |
| PATCH | patch |
| DELETE | delete |
The resource and subresource is determined from the incoming request's path:
| Kubelet API | resource | subresource |
|---|---|---|
| /stats/* | nodes | stats |
| /metrics/* | nodes | metrics |
| /logs/* | nodes | log |
| /spec/* | nodes | spec |
| /checkpoint/* | nodes | checkpoint |
| all others | nodes | proxy |
nodes/proxy permission grants access to all other kubelet APIs.
This includes APIs that can be used to execute commands in any container running on the node.
Some of these endpoints support Websocket protocols via HTTP GET requests, which are authorized with the get verb.
This means that get permission on nodes/proxy is not a read-only permission,
and authorizes executing commands in any container running on the node.
The namespace and API group attributes are always an empty string, and
the resource name is always the name of the kubelet's Node API object.
When running in this mode, ensure the user identified by the --kubelet-client-certificate and --kubelet-client-key
flags passed to the apiserver is authorized for the following attributes:
Kubernetes v1.33 [beta](enabled by default)When the feature gate KubeletFineGrainedAuthz is enabled kubelet performs a
fine-grained check before falling back to the proxy subresource for the /pods,
/runningPods, /configz and /healthz endpoints. The resource and subresource
are determined from the incoming request's path:
| Kubelet API | resource | subresource |
|---|---|---|
| /stats/* | nodes | stats |
| /metrics/* | nodes | metrics |
| /logs/* | nodes | log |
| /pods | nodes | pods, proxy |
| /runningPods/ | nodes | pods, proxy |
| /healthz | nodes | healthz, proxy |
| /configz | nodes | configz, proxy |
| all others | nodes | proxy |
When the feature-gate KubeletFineGrainedAuthz is enabled, ensure the user
identified by the --kubelet-client-certificate and --kubelet-client-key
flags passed to the API server is authorized for the following attributes:
If RBAC authorization is used,
enabling this gate also ensure that the builtin system:kubelet-api-admin ClusterRole
is updated with permissions to access all the above mentioned subresources.