rbac for kubelet authentication

now we configure rbac to allow ther api server have access to each of the worker nodes - we using the --authorization-mode flag to webhook - by this fact the SubjectAccessReview api is using for authentication

let create us a ClusterRole called system:kube-apiserver-to-kubelet

on master

cat <<EOF | kubectl apply --kubeconfig admin.kubeconfig -f -
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: system:kube-apiserver-to-kubelet
rules:
  - apiGroups:
      - ""
    resources:
      - nodes/proxy
      - nodes/stats
      - nodes/log
      - nodes/spec
      - nodes/metrics
    verbs:
      - "*"
EOF

see reference: Role and ClusterRole

the api server authenticates to the kubelet as the system:kube-apiserver user in use of the client certificate which is defined by the --kubelet-client-certificate flag

bind the system:kube-apiserver-to-kubelet ClusterRole to the system:kube-apiserver user

cat <<EOF | kubectl apply --kubeconfig admin.kubeconfig -f -
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: system:kube-apiserver
  namespace: ""
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:kube-apiserver-to-kubelet
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: kube-apiserver
EOF

see reference: RoleBinding and ClusterRoleBinding


— copyleft —

all commands shown on this page are from mmumshad’s fork of “kubernetes-the-hard-way” by kelseyhightower on github