It is hard to find in Kubernetes official documents any information about this sub-resource.
In context of RBAC, the format
node/proxy can be used to grant access to the sub-resource named
node resource. Also the same access can be granted for
We can see it from the output of available resourses from the Kubernetes API server (API Version: v1.21.0):
===/api/v1=== ... nodes/proxy ... pods/proxy ... services/proxy ...
Detailed information about usage of proxy sub-resource can be found in The Kubernetes API (depends on the version you use) - section
Proxy Operations for every mentioned resource: pods, nodes, services.
Yes, it's true, the provided (in comments) link to the documentation might be confusing so let me try to clarify you this.
As per the official documentation the apiserver proxy:
- is a bastion built into the apiserver
- connects a user outside of the cluster to cluster IPs which otherwise might not be reachable
- runs in the apiserver processes
- client to proxy uses HTTPS (or http if apiserver so configured)
- proxy to target may use HTTP or HTTPS as chosen by proxy using available information
- can be used to reach a Node, Pod, or Service
- does load balancing when used to reach a Service
So answering your question - setting
clusterRole allows k8s services access kubelet endpoints on specific node and path.
As per the official documentation:
There are two primary communication paths from the control plane (apiserver) to the nodes. The first is from the apiserver to the kubelet process which runs on each node in the cluster. The second is from the apiserver to any node, pod, or service through the apiserver's proxy functionality.
The connections from the apiserver to the kubelet are used for:
Here are also few running examples of using
node/proxy resource in