From 629d6657fb3c7b7efaea85ad27181eaac4f0625a Mon Sep 17 00:00:00 2001 From: Eric Tune Date: Thu, 12 Feb 2015 08:35:49 -0800 Subject: [PATCH] Update ports doc. Fix. --- docs/accessing_the_api.md | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/docs/accessing_the_api.md b/docs/accessing_the_api.md index c14868c6ea6..8483bd8b23e 100644 --- a/docs/accessing_the_api.md +++ b/docs/accessing_the_api.md @@ -50,14 +50,16 @@ variety of uses cases: operations on the apiserver. Currently, these have to run on the same host as the apiserver and use the Localhost Port. 4. Kubelets, which need to do read-write API operations and are necessarily - on different machines than the apiserver. Currently, kubelets do not - use the API. + on different machines than the apiserver. Kubelet uses the Secure Port + to get their pods, to find the services that a pod can see, and to + write events. Credentials are distributed to kubelets at cluster + setup time. -## Expected Changes. -The following changes to what is decribed above are planned: - - Kubelets will soon begin using the Secure Port to get their pods and - report events. Credentials will be distributed to kubelets at cluster - setup time initially. Policy will limit the actions kubelets can do. +## Expected changes + - Policy will limit the actions kubelets can do via the authed port. + - Kube-proxy currently uses the readonly port to read services and endpoints, + but will eventually use the auth port. + - Kubelets may change from token-based authentication to cert-based-auth. - Scheduler and Controller-manager will use the Secure Port too. They will then be able to run on different machines than the apiserver. - A general mechanism will be provided for [giving credentials to