You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/en/docs/concepts/security/controlling-access.md
+3-30Lines changed: 3 additions & 30 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -23,10 +23,11 @@ following diagram:
23
23
24
24
## Transport security
25
25
26
-
In a typical Kubernetes cluster, the API serves on port 443, protected by TLS.
26
+
By default, the Kubernetes API server listens on port 6443 on the first non-localhost network interface, protected by TLS. In a typical production Kubernetes cluster, the API serves on port 443. The port can be changed with the `--secure-port`, and the listening IP address with the `--bind-address` flag.
27
+
27
28
The API server presents a certificate. This certificate may be signed using
28
29
a private certificate authority (CA), or based on a public key infrastructure linked
29
-
to a generally recognized CA.
30
+
to a generally recognized CA. The certificate and corresponding private key can be set by using the `--tls-cert-file` and `--tls-private-key-file` flags.
30
31
31
32
If your cluster uses a private certificate authority, you need a copy of that CA
32
33
certificate configured into your `~/.kube/config` on the client, so that you can
@@ -137,34 +138,6 @@ The cluster audits the activities generated by users, by applications that use t
137
138
138
139
For more information, see [Auditing](/docs/tasks/debug/debug-cluster/audit/).
139
140
140
-
## API server ports and IPs
141
-
142
-
The previous discussion applies to requests sent to the secure port of the API server
143
-
(the typical case). The API server can actually serve on 2 ports:
144
-
145
-
By default, the Kubernetes API server serves HTTP on 2 ports:
146
-
147
-
1.`localhost` port:
148
-
149
-
- is intended for testing and bootstrap, and for other components of the master node
150
-
(scheduler, controller-manager) to talk to the API
151
-
- no TLS
152
-
- default is port 8080
153
-
- default IP is localhost, change with `--insecure-bind-address` flag.
154
-
- request **bypasses** authentication and authorization modules.
155
-
- request handled by admission control module(s).
156
-
- protected by need to have host access
157
-
158
-
2. “Secure port”:
159
-
160
-
- use whenever possible
161
-
- uses TLS. Set cert with `--tls-cert-file` and key with `--tls-private-key-file` flag.
162
-
- default is port 6443, change with `--secure-port` flag.
163
-
- default IP is first non-localhost network interface, change with `--bind-address` flag.
164
-
- request handled by authentication and authorization modules.
165
-
- request handled by admission control module(s).
166
-
- authentication and authorization modules run.
167
-
168
141
## {{% heading "whatsnext" %}}
169
142
170
143
Read more documentation on authentication, authorization and API access control:
0 commit comments