@@ -85,3 +85,38 @@ flags passed to the apiserver is authorized for the following attributes:
8585* verb=\* , resource=nodes, subresource=log
8686* verb=\* , resource=nodes, subresource=spec
8787* verb=\* , resource=nodes, subresource=metrics
88+
89+ ### Fine-grained authorization
90+
91+ {{< feature-state feature_gate_name="KubeletFineGrainedAuthz" >}}
92+
93+ When the feature gate ` KubeletFineGrainedAuthz ` is enabled kubelet performs a
94+ fine-grained check before falling back to the ` proxy ` subresource for the ` /pods ` ,
95+ ` /runningPods ` , ` /configz ` and ` /healthz ` endpoints. The resource and subresource
96+ are determined from the incoming request's path:
97+
98+ Kubelet API | resource | subresource
99+ --------------|----------|------------
100+ /stats/\* | nodes | stats
101+ /metrics/\* | nodes | metrics
102+ /logs/\* | nodes | log
103+ /spec/\* | nodes | spec
104+ /pods | nodes | pods, proxy
105+ /runningPods/ | nodes | pods, proxy
106+ /healthz | nodes | healthz, proxy
107+ /configz | nodes | configz, proxy
108+ * all others* | nodes | proxy
109+
110+
111+ When the feature-gate ` KubeletFineGrainedAuthz ` is enabled, ensure the user
112+ identified by the ` --kubelet-client-certificate ` and ` --kubelet-client-key `
113+ flags passed to the API server is authorized for the following attributes:
114+
115+ * verb=\* , resource=nodes, subresource=proxy
116+ * verb=\* , resource=nodes, subresource=stats
117+ * verb=\* , resource=nodes, subresource=log
118+ * verb=\* , resource=nodes, subresource=spec
119+ * verb=\* , resource=nodes, subresource=metrics
120+ * verb=\* , resource=nodes, subresource=configz
121+ * verb=\* , resource=nodes, subresource=healthz
122+ * verb=\* , resource=nodes, subresource=pods
0 commit comments