K
Q

What protocols can/must/should be used when accessing the kubelet API on the host node from a pod?

1/7/2017

Objective

I'm seeking clarification around the nuances of accessing the Kubelet API.

Context

I have the IP of the node (physical host's IP) that a pod is in. I would like to make calls to the Kubelet API (running on the node) e.g to ${node_ip}:10255

Question(s)

  1. Can the protocol be HTTP?
    • If it can be HTTP, do I need provide any form of authentication e.g. a bearer token?
  2. If it must be HTTPS, what forms of authentication must I provide?
    • Bearer token?
    • Certificates?
-- King'ori Maina
kubernetes

Similar Questions

Gitlab CI - K8s - Deployment
What's the difference between ClusterIP, NodePort and LoadBalancer service types in Kubernetes?
Container Port Not Exposed in Kubernetes
Could not find default credentials

1 Answer

1/8/2017

There are two ports the kubelet may listen on.

--read-only-port is the http read-only port for the Kubelet to serve on with no authentication/authorization (defaults to 10255, can set to 0 to disable). If enabled, this only serves read-only data, and doesn't expose the APIs that allow pod exec/attach/proxy, etc.

--port is the https port for the Kubelet to serve all its APIs on, with optional authentication/authorization. (defaults to 10250)

See http://kubernetes.io/docs/admin/kubelet-authentication-authorization/ for the authentication/authorization options for the secure port.

Authentication options include client certificate, API bearer token, and to allow anonymous requests.

Authorization options include allowing all requests and delegating authorization to the API server via the SubjectAccessReview API

-- Jordan Liggitt
Source: StackOverflow