You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
for automated provisioning of kubelet client certificates.
38
39
39
-
Pods that wish to connect to the API server can do so securely by leveraging a service account so
40
+
{{< glossary_tooltip text="Pods" term_id="pod" >}} that wish to connect to the API server can do so securely by leveraging a service account so
40
41
that Kubernetes will automatically inject the public root certificate and a valid bearer token
41
42
into the pod when it is instantiated.
42
43
The `kubernetes` service (in `default` namespace) is configured with a virtual IP address that is
43
-
redirected (via `kube-proxy`) to the HTTPS endpoint on the API server.
44
+
redirected (via `{{< glossary_tooltip text="kube-proxy" term_id="kube-proxy" >}}`) to the HTTPS endpoint on the API server.
44
45
45
46
The control plane components also communicate with the API server over the secure port.
46
47
47
-
As a result, the default operating mode for connections from the nodes and pods running on the
48
+
As a result, the default operating mode for connections from the nodes and pod running on the
48
49
nodes to the control plane is secured by default and can run over untrusted and/or public
49
50
networks.
50
51
51
52
## Control plane to node
52
53
53
54
There are two primary communication paths from the control plane (the API server) to the nodes.
54
-
The first is from the API server to the kubelet process which runs on each node in the cluster.
55
+
The first is from the API server to the {{< glossary_tooltip text="kubelet" term_id="kubelet" >}} process which runs on each node in the cluster.
55
56
The second is from the API server to any node, pod, or service through the API server's _proxy_
56
57
functionality.
57
58
@@ -89,7 +90,7 @@ connections **are not currently safe** to run over untrusted or public networks.
89
90
90
91
### SSH tunnels
91
92
92
-
Kubernetes supports SSH tunnels to protect the control plane to nodes communication paths. In this
93
+
Kubernetes supports [SSH tunnels](https://www.ssh.com/academy/ssh/tunneling) to protect the control plane to nodes communication paths. In this
93
94
configuration, the API server initiates an SSH tunnel to each node in the cluster (connecting to
94
95
the SSH server listening on port 22) and passes all traffic destined for a kubelet, node, pod, or
95
96
service through the tunnel.
@@ -117,3 +118,12 @@ connections.
117
118
Follow the [Konnectivity service task](/docs/tasks/extend-kubernetes/setup-konnectivity/) to set
118
119
up the Konnectivity service in your cluster.
119
120
121
+
## {{% heading "whatsnext" %}}
122
+
123
+
* Read about the [Kubernetes control plane components](/docs/concepts/overview/components/#control-plane-components)
124
+
* Learn more about [Hubs and Spoke model](https://book.kubebuilder.io/multiversion-tutorial/conversion-concepts.html#hubs-spokes-and-other-wheel-metaphors)
125
+
* Learn how to [Secure a Cluster](/docs/tasks/administer-cluster/securing-a-cluster/)
126
+
* Learn more about the [Kubernetes API](/docs/concepts/overview/kubernetes-api/)
127
+
*[Set up Konnectivity service](/docs/tasks/extend-kubernetes/setup-konnectivity/)
128
+
*[Use Port Forwarding to Access Applications in a Cluster](/docs/tasks/access-application-cluster/port-forward-access-application-cluster/)
129
+
* Learn how to [Fetch logs for Pods](/docs/tasks/debug/debug-application/debug-running-pod/#examine-pod-logs), [use kubectl port-forward](/docs/tasks/access-application-cluster/port-forward-access-application-cluster/#forward-a-local-port-to-a-port-on-the-pod)
0 commit comments