-
Notifications
You must be signed in to change notification settings - Fork 14.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update RBAC doc #2618
Update RBAC doc #2618
Conversation
cc @kubernetes/sig-auth-misc |
docs/admin/authorization/rbac.md
Outdated
<td><b>system:nodes</b> group</td> | ||
<td>Allows access to resources required by the kubelet component, <b>including read access to secrets, and write access to pods</b>. | ||
In the future, read access to secrets and write access to pods will be restricted to objects scheduled to the node. | ||
To maintain permissions in the future, Kubelets must identify themselves with a username in the form <b>system:node:<node-name></b>. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You keying based on group or only based on name?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
both, probably? will update.
docs/admin/authorization/rbac.md
Outdated
don't already have even when the RBAC authorizer it disabled__. If "user-1" | ||
does not have the ability to read secrets in "namespace-a", they cannot create | ||
a binding that would grant that permission to themselves or any other user. | ||
The RBAC API inherently prevents users from escalating privileges by editing roles or role bindings. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems like you should describe the permission we use to allow binding an escalating role.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I do, later. hoist it into the summary?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I do, later. hoist it into the summary?
Yeah. The summary is no longer accurate.
lgtm otherwise |
I'm working on addressing the few comments. Will push an update tonight |
@liggitt Great, thanks! |
@deads2k comments addressed, PTAL |
lgtm |
Preview at https://deploy-preview-2618--kubernetes-io-master-staging.netlify.com/docs/admin/authorization/rbac/
This change is