remove ro service

docs/accessing_the_api.md

@@ -4,27 +4,21 @@
 The Kubernetes API is served by the Kubernetes APIServer process.  Typically,
 there is one of these running on a single kubernetes-master node.
 
-By default the Kubernetes APIserver serves
-HTTP on 3 ports:
+By default the Kubernetes APIserver serves HTTP on 2 ports:
   1. Localhost Port
     - serves HTTP
     - default is port 8080, change with `-port` flag.
     - defaults IP is localhost, change with `-address` flag.
     - no authentication or authorization checks in HTTP
     - protected by need to have host access
-  2. ReadOnly Port
-    - default is port 7080, change with `-read_only_port`
-    - default IP is first non-localhost network interface, change with `-public_address_override`
-    - serves HTTP
-    - no authentication checks in HTTP
-    - only GET requests are allowed.
-    - requests are rate limited
-  3. Secure Port
+  2. Secure Port
     - default is port 443, change with `-secure_port`
     - default IP is first non-localhost network interface, change with `-public_address_override`
     - serves HTTPS.  Set cert with `-tls_cert_file` and key with `-tls_private_key_file`.
     - uses token-file or client-certificate based [authentication](./authentication.md).
     - uses policy-based [authorization](./authorization.md).
+  3. Removed: ReadOnly Port
+    - For security reasons, this had to be removed. Use the service account feature instead.
 
 ## Proxies and Firewall rules
 
@@ -46,11 +40,12 @@ variety of uses cases:
       on desktop machine.  Currently, accesses the Localhost Port via a proxy (nginx)
       running on the `kubernetes-master` machine.  Proxy uses bearer token authentication.
    2. Processes running in Containers on Kubernetes that need to do read from
-      the apiserver.  Currently, these can use Readonly Port.
+      the apiserver.  Currently, these can use a service account.
    3. Scheduler and Controller-manager processes, which need to do read-write
-      API operations.  Currently, these have to run on the
-      operations on the apiserver.  Currently, these have to run on the same
-      host as the apiserver and use the Localhost Port.
+      API operations.  Currently, these have to run on the operations on the
+      apiserver.  Currently, these have to run on the same host as the
+      apiserver and use the Localhost Port.  In the future, these will be
+      switched to using service accounts to avoid the need to be co-located.
    4. Kubelets, which need to do read-write API operations and are necessarily
       on different machines than the apiserver.  Kubelet uses the Secure Port
       to get their pods, to find the services that a pod can see, and to
@@ -59,16 +54,12 @@ variety of uses cases:
 
 ## Expected changes
    - Policy will limit the actions kubelets can do via the authed port.
-   - Kube-proxy currently uses the readonly port to read services and endpoints,
-     but will eventually use the auth port.
    - Kubelets will change from token-based authentication to cert-based-auth.
    - Scheduler and Controller-manager will use the Secure Port too.  They
      will then be able to run on different machines than the apiserver.
    - A general mechanism will be provided for [giving credentials to
      pods](
      https://github.com/GoogleCloudPlatform/kubernetes/issues/1907).
-   - The Readonly Port will no longer be needed and [will be removed](
-     https://github.com/GoogleCloudPlatform/kubernetes/issues/5921).
    - Clients, like kubectl, will all support token-based auth, and the
      Localhost will no longer be needed, and will not be the default.
      However, the localhost port may continue to be an option for