k3s/docs/admin/accessing-the-api.md

<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->

<!-- BEGIN STRIP_FOR_RELEASE -->

<img src="http://kubernetes.io/img/warning.png" alt="WARNING"
     width="25" height="25">
<img src="http://kubernetes.io/img/warning.png" alt="WARNING"
     width="25" height="25">
<img src="http://kubernetes.io/img/warning.png" alt="WARNING"
     width="25" height="25">
<img src="http://kubernetes.io/img/warning.png" alt="WARNING"
     width="25" height="25">
<img src="http://kubernetes.io/img/warning.png" alt="WARNING"
     width="25" height="25">

<h2>PLEASE NOTE: This document applies to the HEAD of the source tree</h2>

If you are using a released version of Kubernetes, you should
refer to the docs that go with that version.

<strong>
The latest 1.0.x release of this document can be found
[here](http://releases.k8s.io/release-1.0/docs/admin/accessing-the-api.md).

Documentation for other releases can be found at
[releases.k8s.io](http://releases.k8s.io).
</strong>
--

<!-- END STRIP_FOR_RELEASE -->

<!-- END MUNGE: UNVERSIONED_WARNING -->

# Configuring APIserver ports

This document describes what ports the Kubernetes apiserver
may serve on and how to reach them.  The audience is
cluster administrators who want to customize their cluster
or understand the details.

Most questions about accessing the cluster are covered
in [Accessing the cluster](../user-guide/accessing-the-cluster.md).


## Ports and IPs Served On

The Kubernetes API is served by the Kubernetes apiserver process.  Typically,
there is one of these running on a single kubernetes-master node.

By default the Kubernetes APIserver serves HTTP on 2 ports:
  1. Localhost Port
    - serves HTTP
    - default is port 8080, change with `--insecure-port` flag.
    - defaults IP is localhost, change with `--insecure-bind-address` flag.
    - no authentication or authorization checks in HTTP
    - protected by need to have host access
  2. Secure Port
    - default is port 6443, change with `--secure-port` flag.
    - default IP is first non-localhost network interface, change with `--bind-address` flag.
    - serves HTTPS.  Set cert with `--tls-cert-file` and key with `--tls-private-key-file` flag.
    - uses token-file or client-certificate based [authentication](authentication.md).
    - uses policy-based [authorization](authorization.md).
  3. Removed: ReadOnly Port
    - For security reasons, this had to be removed. Use the [service account](../user-guide/service-accounts.md) feature instead.

## Proxies and Firewall rules

Additionally, in some configurations there is a proxy (nginx) running
on the same machine as the apiserver process.  The proxy serves HTTPS protected
by Basic Auth on port 443, and proxies to the apiserver on localhost:8080. In
these configurations the secure port is typically set to 6443.

A firewall rule is typically configured to allow external HTTPS access to port 443.

The above are defaults and reflect how Kubernetes is deployed to Google Compute Engine using
kube-up.sh.  Other cloud providers may vary.

## Use Cases vs IP:Ports

There are three differently configured serving ports because there are a
variety of uses cases:
   1. Clients outside of a Kubernetes cluster, such as human running `kubectl`
      on desktop machine.  Currently, accesses the Localhost Port via a proxy (nginx)
      running on the `kubernetes-master` machine.  The proxy can use cert-based authentication
      or token-based authentication.
   2. Processes running in Containers on Kubernetes that need to read from
      the apiserver.  Currently, these can use a [service account](../user-guide/service-accounts.md).
   3. Scheduler and Controller-manager processes, which need to do read-write
      API operations, using service accounts to avoid the need to be co-located.
   4. Kubelets, which need to do read-write API operations and are necessarily
      on different machines than the apiserver.  Kubelet uses the Secure Port
      to get their pods, to find the services that a pod can see, and to
      write events.  Credentials are distributed to kubelets at cluster
      setup time. Kubelet and kube-proxy can use cert-based authentication or token-based
      authentication.

## Expected changes

   - Policy will limit the actions kubelets can do via the authed port.

<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
[![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/accessing-the-api.md?pixel)]()
<!-- END MUNGE: GENERATED_ANALYTICS -->
Run gendocs and munges 2015-07-12 04:04:52 +00:00			`<!-- BEGIN MUNGE: UNVERSIONED_WARNING -->`

			`<!-- BEGIN STRIP_FOR_RELEASE -->`

Better scary message 2015-07-16 17:02:26 +00:00			`<img src="http://kubernetes.io/img/warning.png" alt="WARNING"`
			`width="25" height="25">`
			`<img src="http://kubernetes.io/img/warning.png" alt="WARNING"`
			`width="25" height="25">`
			`<img src="http://kubernetes.io/img/warning.png" alt="WARNING"`
			`width="25" height="25">`
			`<img src="http://kubernetes.io/img/warning.png" alt="WARNING"`
			`width="25" height="25">`
			`<img src="http://kubernetes.io/img/warning.png" alt="WARNING"`
			`width="25" height="25">`
Run gendocs 2015-07-13 22:15:35 +00:00
Better scary message 2015-07-16 17:02:26 +00:00			`<h2>PLEASE NOTE: This document applies to the HEAD of the source tree</h2>`
Run gendocs and munges 2015-07-12 04:04:52 +00:00
Better scary message 2015-07-16 17:02:26 +00:00			`If you are using a released version of Kubernetes, you should`
			`refer to the docs that go with that version.`
Run gendocs and munges 2015-07-12 04:04:52 +00:00
Better scary message 2015-07-16 17:02:26 +00:00			`<strong>`
			`The latest 1.0.x release of this document can be found`
			`[here](http://releases.k8s.io/release-1.0/docs/admin/accessing-the-api.md).`

			`Documentation for other releases can be found at`
			`[releases.k8s.io](http://releases.k8s.io).`
			`</strong>`
			`--`
Run gendocs 2015-07-13 22:15:35 +00:00
Run gendocs and munges 2015-07-12 04:04:52 +00:00			`<!-- END STRIP_FOR_RELEASE -->`

			`<!-- END MUNGE: UNVERSIONED_WARNING -->`
Run gendocs 2015-07-17 22:35:41 +00:00
Rewrite docs for accessing the cluster. Put discussion of how to access the API ahead of discussion about how to access other services on the cluster. More clearly distinguish the different kinds of proxies. Explain pros and cons of different approaches better. Remove cluster-admin-oriented documentation from user guide. More links. 2015-06-05 23:33:57 +00:00			`# Configuring APIserver ports`

Fix capitalization of Kubernetes in the documentation. 2015-07-20 20:45:36 +00:00			`This document describes what ports the Kubernetes apiserver`
Rewrite docs for accessing the cluster. Put discussion of how to access the API ahead of discussion about how to access other services on the cluster. More clearly distinguish the different kinds of proxies. Explain pros and cons of different approaches better. Remove cluster-admin-oriented documentation from user guide. More links. 2015-06-05 23:33:57 +00:00			`may serve on and how to reach them. The audience is`
			`cluster administrators who want to customize their cluster`
Do not use outdated flags in accessing_the_api.md 2015-06-24 03:49:07 +00:00			`or understand the details.`
Rewrite docs for accessing the cluster. Put discussion of how to access the API ahead of discussion about how to access other services on the cluster. More clearly distinguish the different kinds of proxies. Explain pros and cons of different approaches better. Remove cluster-admin-oriented documentation from user guide. More links. 2015-06-05 23:33:57 +00:00
			`Most questions about accessing the cluster are covered`
automated link fixes 2015-07-14 16:37:37 +00:00			`in [Accessing the cluster](../user-guide/accessing-the-cluster.md).`
Rewrite docs for accessing the cluster. Put discussion of how to access the API ahead of discussion about how to access other services on the cluster. More clearly distinguish the different kinds of proxies. Explain pros and cons of different approaches better. Remove cluster-admin-oriented documentation from user guide. More links. 2015-06-05 23:33:57 +00:00
Add a third port which has HTTPS and auth(n,z) It is disabled by default. Document all the various and sundry (3) ports. 2014-11-06 00:05:06 +00:00
			`## Ports and IPs Served On`
Run gendocs 2015-07-17 22:35:41 +00:00
Fix capitalization of Kubernetes in the documentation. 2015-07-20 20:45:36 +00:00			`The Kubernetes API is served by the Kubernetes apiserver process. Typically,`
Add a third port which has HTTPS and auth(n,z) It is disabled by default. Document all the various and sundry (3) ports. 2014-11-06 00:05:06 +00:00			`there is one of these running on a single kubernetes-master node.`

remove ro service 2015-05-06 21:54:54 +00:00			`By default the Kubernetes APIserver serves HTTP on 2 ports:`
Add a third port which has HTTPS and auth(n,z) It is disabled by default. Document all the various and sundry (3) ports. 2014-11-06 00:05:06 +00:00			`1. Localhost Port`
			`- serves HTTP`
Do not use outdated flags in accessing_the_api.md 2015-06-24 03:49:07 +00:00			- default is port 8080, change with `--insecure-port` flag.
			- defaults IP is localhost, change with `--insecure-bind-address` flag.
Add a third port which has HTTPS and auth(n,z) It is disabled by default. Document all the various and sundry (3) ports. 2014-11-06 00:05:06 +00:00			`- no authentication or authorization checks in HTTP`
			`- protected by need to have host access`
remove ro service 2015-05-06 21:54:54 +00:00			`2. Secure Port`
Do not use outdated flags in accessing_the_api.md 2015-06-24 03:49:07 +00:00			- default is port 6443, change with `--secure-port` flag.
			- default IP is first non-localhost network interface, change with `--bind-address` flag.
			- serves HTTPS. Set cert with `--tls-cert-file` and key with `--tls-private-key-file` flag.
Auto-fixed docs 2015-07-10 01:02:10 +00:00			`- uses token-file or client-certificate based [authentication](authentication.md).`
			`- uses policy-based [authorization](authorization.md).`
remove ro service 2015-05-06 21:54:54 +00:00			`3. Removed: ReadOnly Port`
Various minor edits/clarifications to docs/admin/ docs. Deleted docs/admin/namespaces.md as it was content-free and the topic is already covered well in docs/user-guide/namespaces.md 2015-07-17 17:12:08 +00:00			`- For security reasons, this had to be removed. Use the [service account](../user-guide/service-accounts.md) feature instead.`
Add a third port which has HTTPS and auth(n,z) It is disabled by default. Document all the various and sundry (3) ports. 2014-11-06 00:05:06 +00:00
			`## Proxies and Firewall rules`

Remove nginx and replace basic auth with bearer token auth for GCE. - Configure the apiserver to listen securely on 443 instead of 6443. - Configure the kubelet to connect to 443 instead of 6443. - Update documentation to refer to bearer tokens instead of basic auth. 2015-04-17 21:04:14 +00:00			`Additionally, in some configurations there is a proxy (nginx) running`
Add a third port which has HTTPS and auth(n,z) It is disabled by default. Document all the various and sundry (3) ports. 2014-11-06 00:05:06 +00:00			`on the same machine as the apiserver process. The proxy serves HTTPS protected`
Remove nginx and replace basic auth with bearer token auth for GCE. - Configure the apiserver to listen securely on 443 instead of 6443. - Configure the kubelet to connect to 443 instead of 6443. - Update documentation to refer to bearer tokens instead of basic auth. 2015-04-17 21:04:14 +00:00			`by Basic Auth on port 443, and proxies to the apiserver on localhost:8080. In`
			`these configurations the secure port is typically set to 6443.`

			`A firewall rule is typically configured to allow external HTTPS access to port 443.`
Add a third port which has HTTPS and auth(n,z) It is disabled by default. Document all the various and sundry (3) ports. 2014-11-06 00:05:06 +00:00
Replaced (or defined first instance of) GKE/GCE with Google Container Engine/Google Compute Engine Fixes #10354 2015-06-26 19:13:43 +00:00			`The above are defaults and reflect how Kubernetes is deployed to Google Compute Engine using`
Add a third port which has HTTPS and auth(n,z) It is disabled by default. Document all the various and sundry (3) ports. 2014-11-06 00:05:06 +00:00			`kube-up.sh. Other cloud providers may vary.`

			`## Use Cases vs IP:Ports`

			`There are three differently configured serving ports because there are a`
			`variety of uses cases:`
			1. Clients outside of a Kubernetes cluster, such as human running `kubectl`
			`on desktop machine. Currently, accesses the Localhost Port via a proxy (nginx)`
Clarify authentication methods for k8s components. 2015-09-09 18:16:56 +00:00			running on the `kubernetes-master` machine. The proxy can use cert-based authentication
			`or token-based authentication.`
Various minor edits/clarifications to docs/admin/ docs. Deleted docs/admin/namespaces.md as it was content-free and the topic is already covered well in docs/user-guide/namespaces.md 2015-07-17 17:12:08 +00:00			`2. Processes running in Containers on Kubernetes that need to read from`
			`the apiserver. Currently, these can use a [service account](../user-guide/service-accounts.md).`
Add a third port which has HTTPS and auth(n,z) It is disabled by default. Document all the various and sundry (3) ports. 2014-11-06 00:05:06 +00:00			`3. Scheduler and Controller-manager processes, which need to do read-write`
Remove some stuff that looks obsolete from api-server certs/access docs 2015-09-24 21:24:35 +00:00			`API operations, using service accounts to avoid the need to be co-located.`
Remove nginx and replace basic auth with bearer token auth for GCE. - Configure the apiserver to listen securely on 443 instead of 6443. - Configure the kubelet to connect to 443 instead of 6443. - Update documentation to refer to bearer tokens instead of basic auth. 2015-04-17 21:04:14 +00:00			`4. Kubelets, which need to do read-write API operations and are necessarily`
			`on different machines than the apiserver. Kubelet uses the Secure Port`
Update ports doc. Fix. 2015-02-12 16:35:49 +00:00			`to get their pods, to find the services that a pod can see, and to`
			`write events. Credentials are distributed to kubelets at cluster`
Clarify authentication methods for k8s components. 2015-09-09 18:16:56 +00:00			`setup time. Kubelet and kube-proxy can use cert-based authentication or token-based`
			`authentication.`
Add a third port which has HTTPS and auth(n,z) It is disabled by default. Document all the various and sundry (3) ports. 2014-11-06 00:05:06 +00:00
Update ports doc. Fix. 2015-02-12 16:35:49 +00:00			`## Expected changes`
Run gendocs 2015-07-17 22:35:41 +00:00
Update ports doc. Fix. 2015-02-12 16:35:49 +00:00			`- Policy will limit the actions kubelets can do via the authed port.`
Add ga-beacon analytics to gendocs scripts hack/run-gendocs.sh puts ga-beacon analytics link into all md files, hack/verify-gendocs.sh verifies presence of link. 2015-05-14 22:12:45 +00:00
Apply mungedocs changes 2015-07-14 00:13:09 +00:00			`<!-- BEGIN MUNGE: GENERATED_ANALYTICS -->`
standardize on - instead of _ in file names 2015-07-10 19:39:25 +00:00			`[![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/admin/accessing-the-api.md?pixel)]()`
Apply mungedocs changes 2015-07-14 00:13:09 +00:00			`<!-- END MUNGE: GENERATED_ANALYTICS -->`