Add warnings about self signed certs and MitM attacks.

Also put in pointers for IRC and mailing lists.
2014-06-09 16:46:16 -07:00 · 2014-06-09 16:46:16 -07:00 · 196d0965ec
parent fd36e8b9f2
commit 196d0965ec
3 changed files with 15 additions and 2 deletions
--- a/DESIGN.md
+++ b/DESIGN.md
@ -106,6 +106,8 @@ The bootstrapping works like this:

 ### Cluster Security

-As there is no security currently built into the `apiserver`, the salt configuration will install `nginx`.  `nginx` is configured to serve HTTPS with a self signed certificate.  HTTP basic auth is used from the client to `nginx`.  `nginx` then forwards the request on to the `apiserver` over plain old HTTP.
+As there is no security currently built into the `apiserver`, the salt configuration will install `nginx`.  `nginx` is configured to serve HTTPS with a self signed certificate.  HTTP basic auth is used from the client to `nginx`.  `nginx` then forwards the request on to the `apiserver` over plain old HTTP.  Because a self signed certificate is used access to server should be safe from eavesdropping but is subject to "man in the middle" attacks.  Access via the browser will result in warnings and tools like curl will require an "--insecure" flag.
+
+All communication within the cluster (worker nodes to the master, for instance) occurs on the internal virtual network and should be safe from eavesdropping.

 The password is generated randomly as part of the `kube-up.sh` script and stored in `~/.kubernetes_auth`.
--- a/README.md
+++ b/README.md
@ -1,6 +1,6 @@
 # Kubernetes

-Kubernetes is an open source reference implementation of container cluster management.
+Kubernetes is an open source implementation of container cluster management.

 [Kubernetes Design Document](https://github.com/GoogleCloudPlatform/kubernetes/blob/master/DESIGN.md)

@ -89,6 +89,14 @@ cluster/kube-down.sh

 Or fork and start hacking!

+## Community, discussion and support
+
+If you have questions or want to start contributing please reach out.  We don't bite!
+
+The Kubernetes team is hanging out on IRC on the [#google-containers room on freenode.net](http://webchat.freenode.net/?channels=google-containers).  We also have the [google-containers Google Groups mailing list](https://groups.google.com/forum/#!forum/google-containers).
+
+If you are a company and are looking for a more formal engagement with Google around Kubernetes and containers at Google as a whole, please fill out [this form](https://docs.google.com/a/google.com/forms/d/1_RfwC8LZU4CKe4vKq32x5xpEJI5QZ-j0ShGmZVv9cm4/viewform). and we'll be in touch.
+
 ## Development

 ### Hooks
@ -148,3 +156,4 @@ Install [nodejs](http://nodejs.org/download/), [npm](https://www.npmjs.org/), an
 cd kubernetes/api
 raml2html kubernetes.raml > kubernetes.html
 ```
+
--- a/cluster/kube-up.sh
+++ b/cluster/kube-up.sh
@ -150,5 +150,7 @@ echo "Kubernetes cluster is running.  Access the master at:"
 echo
 echo "  https://${user}:${passwd}@${KUBE_MASTER_IP}"
 echo
+echo "Security note: The server above uses a self signed certificate.  This is"
+echo "    subject to \"Man in the middle\" type attacks."