New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
update the kubelet authorizer to allow system:masters access without a SAR #99611
Conversation
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: deads2k The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Can we migrate the Kubelet to |
/triage accepted |
/test pull-kubernetes-unit |
I looked at that first, but doing so requires disconnecting the way they build the client. It's a significantly more invasive change. |
Right, but it is also the correct change. If the Kubelet was already using the API server code, #98325 would have already fixed its defaulting to include |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-contributor-experience at kubernetes/community. |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-contributor-experience at kubernetes/community. |
Rotten issues close after 30d of inactivity. Send feedback to sig-contributor-experience at kubernetes/community. |
@k8s-triage-robot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
system:masters
group is defined in kube-apiserver to always have access. Because of this, we know that every delegated authorization check for this group on every kubernetes cluster, will always return allowed. We can add the system:masters authorizer first./kind cleanup
/priority important-soon
@kubernetes/sig-auth-bugs @kubernetes/sig-node-pr-reviews