Skip to content

Commit

Permalink
Remove docs related to 'require-kubeconfig'
Browse files Browse the repository at this point in the history
With kubernetes/kubernetes#58367 merged, v1.10 will not use the
"require-kubeconfig" flag. The flag has become a no-op solely to ensure
existing deployments won't break.
  • Loading branch information
tengqm committed Jan 30, 2018
1 parent dd7bb34 commit c283a4d
Show file tree
Hide file tree
Showing 4 changed files with 4 additions and 14 deletions.
8 changes: 2 additions & 6 deletions cn/docs/admin/kubelet-authentication-authorization.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,11 +33,9 @@ To enable X509 client certificate authentication to the kubelet's HTTPS endpoint
To enable API bearer tokens (including service account tokens) to be used to authenticate to the kubelet's HTTPS endpoint:

* ensure the `authentication.k8s.io/v1beta1` API group is enabled in the API server
* start the kubelet with the `--authentication-token-webhook`, `--kubeconfig`, and `--require-kubeconfig` flags
* start the kubelet with the `--authentication-token-webhook` and the `--kubeconfig` flags
* the kubelet calls the `TokenReview` API on the configured API server to determine user information from bearer tokens

**Note:** The flag `--require-kubeconfig` is deprecated as of Kubernetes 1.8, this will be removed in a future version. You no longer need to use `--require-kubeconfig` in Kubernetes 1.8.

## Kubelet authorization

Any request that is successfully authenticated (including an anonymous request) is then authorized. The default authorization mode is `AlwaysAllow`, which allows all requests.
Expand All @@ -51,11 +49,9 @@ There are many possible reasons to subdivide access to the kubelet API:
To subdivide access to the kubelet API, delegate authorization to the API server:

* ensure the `authorization.k8s.io/v1beta1` API group is enabled in the API server
* start the kubelet with the `--authorization-mode=Webhook`, `--kubeconfig`, and `--require-kubeconfig` flags
* start the kubelet with the `--authorization-mode=Webhook` and the `--kubeconfig` flags
* the kubelet calls the `SubjectAccessReview` API on the configured API server to determine whether each request is authorized

**Note:** The flag `--require-kubeconfig` is deprecated as of Kubernetes 1.8, this will be removed in a future version. You no longer need to use `--require-kubeconfig` in Kubernetes 1.8.

The kubelet authorizes API requests using the same [request attributes](/docs/admin/authorization/#request-attributes) approach as the apiserver.

The verb is determined from the incoming request's HTTP verb:
Expand Down
1 change: 0 additions & 1 deletion cn/docs/admin/kubelet-tls-bootstrapping.md
Original file line number Diff line number Diff line change
Expand Up @@ -190,7 +190,6 @@ When starting the kubelet, if the file specified by `--kubeconfig` does not exis
**Note:** The following flags are required to enable this bootstrapping when starting the kubelet:

```
--require-kubeconfig
--bootstrap-kubeconfig="/path/to/bootstrap/kubeconfig"
```
Expand Down
8 changes: 2 additions & 6 deletions docs/admin/kubelet-authentication-authorization.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,11 +33,9 @@ To enable X509 client certificate authentication to the kubelet's HTTPS endpoint
To enable API bearer tokens (including service account tokens) to be used to authenticate to the kubelet's HTTPS endpoint:

* ensure the `authentication.k8s.io/v1beta1` API group is enabled in the API server
* start the kubelet with the `--authentication-token-webhook`, `--kubeconfig`, and `--require-kubeconfig` flags
* start the kubelet with the `--authentication-token-webhook` and `--kubeconfig` flags
* the kubelet calls the `TokenReview` API on the configured API server to determine user information from bearer tokens

**Note:** The flag `--require-kubeconfig` is deprecated as of Kubernetes 1.8, this will be removed in a future version. You no longer need to use `--require-kubeconfig` in Kubernetes 1.8.

## Kubelet authorization

Any request that is successfully authenticated (including an anonymous request) is then authorized. The default authorization mode is `AlwaysAllow`, which allows all requests.
Expand All @@ -51,11 +49,9 @@ There are many possible reasons to subdivide access to the kubelet API:
To subdivide access to the kubelet API, delegate authorization to the API server:

* ensure the `authorization.k8s.io/v1beta1` API group is enabled in the API server
* start the kubelet with the `--authorization-mode=Webhook`, `--kubeconfig`, and `--require-kubeconfig` flags
* start the kubelet with the `--authorization-mode=Webhook` and the `--kubeconfig` flags
* the kubelet calls the `SubjectAccessReview` API on the configured API server to determine whether each request is authorized

**Note:** The flag `--require-kubeconfig` is deprecated as of Kubernetes 1.8, this will be removed in a future version. You no longer need to use `--require-kubeconfig` in Kubernetes 1.8.

The kubelet authorizes API requests using the same [request attributes](/docs/admin/authorization/#request-attributes) approach as the apiserver.

The verb is determined from the incoming request's HTTP verb:
Expand Down
1 change: 0 additions & 1 deletion docs/admin/kubelet-tls-bootstrapping.md
Original file line number Diff line number Diff line change
Expand Up @@ -198,7 +198,6 @@ When starting the kubelet, if the file specified by `--kubeconfig` does not exis
**Note:** The following flags are required to enable this bootstrapping when starting the kubelet:

```
--require-kubeconfig
--bootstrap-kubeconfig="/path/to/bootstrap/kubeconfig"
```
Expand Down

0 comments on commit c283a4d

Please sign in to comment.