add information about RBAC bootstrap roles #2169
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
docs/admin/authorization.md
Outdated
| If an RBAC resource (`ClusterRole`, `ClusterRoleBinding`, etc) is prefixed with `system:*`, that indicates that | ||
| the resource is "owned" by the infrastructure. Modifications to these resources can result in non-functional clusters. | ||
|
|
||
| Once example is the `clusterrole/system:nodes`. This role is used to provide limited permissions to kubelets. If the |
There was a problem hiding this comment.
One example is clusterrole/system:nodes
|
Thanks, looks good to me aside from ncdc's comment. |
deads2k
force-pushed
the
rbac-01-bootstrap
branch
from
c0e7400 to
7737c60
Compare
| with a set of default ClusterRoles and ClusterRoleBindings. Most of these are `system:*` prefixed, but some are not. | ||
| They are all labeled with `kubernetes.io/bootstrapping=rbac-defaults`. These are the most commonly used: | ||
|
|
||
| |Default Role |Description |
There was a problem hiding this comment.
Table doesn't render correctly. I think you're missing a line of | --- | --- |
|
|
||
| |Default Role |Description | ||
|
|
||
| |*admin* |A project manager. If used in a `RoleBinding`, an *admin* user will have |
There was a problem hiding this comment.
What is a "project"? Is it manifested as a Kubernetes namespace? Is it the Kubernetes cluster?
| |*edit* |A role that can modify most objects in a project, but does not have the | ||
| power to view or modify roles or bindings. | ||
|
|
||
| |*view* |A role who cannot make any modifications, but can see most objects in a |
There was a problem hiding this comment.
s/who/that/, for consistency with line 468 above.
| project. They cannot view or modify roles or bindings. They cannot view secrets, | ||
| since those are escalating. | ||
|
|
||
| |*system:auth-delegator*|A role which allows delegated authentication and authorization |
There was a problem hiding this comment.
s/which/that/, for consistency with line 468 above.
|
|
||
| |*system:basic-user* |A role that can get basic information about himself. | ||
|
|
||
| |*system:discovery*|A role which provides just enough power to access discovery and |
There was a problem hiding this comment.
s/which/that/, for consistency with line 468 above.
|
|
||
| ### `system:*` prefixed RBAC resources | ||
|
|
||
| If an RBAC resource (`ClusterRole`, `ClusterRoleBinding`, etc) is prefixed with `system:*`, that indicates that |
| ### `system:*` prefixed RBAC resources | ||
|
|
||
| If an RBAC resource (`ClusterRole`, `ClusterRoleBinding`, etc) is prefixed with `system:*`, that indicates that | ||
| the resource is "owned" by the infrastructure. Modifications to these resources can result in non-functional clusters. |
There was a problem hiding this comment.
s/non-functional/nonfunctional/
|
@devin-donnelly @alex-mohr @cjcullen I'm referring people to this pull a lot and we really need a spot where we can merge this and then continue a guide. Can we get a 1.6 branch or something so we can actively work on the docs in this area? |
|
@jaredbhatti any word on the 1.6 branch? |
chenopis
added
the
do-not-merge
|
included in #2360 |
|
i am getting this error . can anyone plz help me }, |
10 participants
Adds information about bootstrap RBAC roles, what they're for, and how to bind them.
@kubernetes/sig-auth-misc
This change is