Update our kubelet (and other) certs for RBAC

[justinsb]

We need to do the equivalent of https://github.com/kubernetes/kubernetes/pull/39020/commits

And check for any other changes

[liggitt]

https://docs.google.com/document/d/1PqI--ql3LQsA69fEvRq1nQWgiIoE5Dyftja5Um9ML7Q/edit and https://github.com/kubernetes/kubernetes.github.io/pull/2360/files is documentation in progress for the roles and default bindings available to deployers.

deployers can either set up credentials for control plane components to match the default bindings, or they can bind roles themselves... either way works.

currently, the expected users/groups to pick up permissions automatically are:

1. bootstrap superuser in the system:masters group (username doesn't matter)
2. kubelet in the system:nodes group, username of system:node:<nodename>
3. controller manager as the user system:kube-controller-manager
4. kube-proxy as the user system:kube-proxy
5. scheduler as the user system:kube-scheduler

kubernetes/kubernetes#40021 is tracking remaining roles that need development, some of which will have default bindings as well.

[bgeesaman]

I believe this work (if not completed already) will enable the kubelet to also use --authorization-mode=Webhook to prevent arbitrary container command injection via kubelet-exploit

[bgeesaman]

Looks like the Kubelet certs are in the format of Subject: O=system:nodes, CN=kubelet and so it requires the additional RBAC clusterrolebinding to get the proper permissions right now.

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[chrislovecnm]

/lifecycle frozen
/remove-lifecycle stale