Document node authorization mode #4077
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
@kubernetes/sig-auth-pr-reviews |
|
/assign @chenopis |
docs/admin/authorization/node.md
Outdated
|
|
||
| Kubelets must be able to read the API resources that describe the pods they are supposed to run, | ||
| read secrets, configmaps, persistent volume claims and persistent volumes related to those pods, | ||
| and write API objects that report the status of their pods, and of the node the kubelet is running on. |
There was a problem hiding this comment.
nit: this is a awkward run-on sentence.
There was a problem hiding this comment.
made sense at midnight... will fix
docs/admin/authorization/node.md
Outdated
|
|
||
| In 1.8, the binding will not be created at all. | ||
|
|
||
| The `system:node` cluster role will continue to be created when using RBAC, |
There was a problem hiding this comment.
s/when using RBAC/when using RBAC without the Node authorizer/g ?
There was a problem hiding this comment.
no, the role still gets created, just not the binding
docs/admin/authorization/node.md
Outdated
| ### Kubelets with undifferentiated usernames | ||
|
|
||
| In some deployments, kubelets have credentials that place them in the `system:nodes` group, | ||
| but do not identify the particular node they are associated with (have a username that does not match the `system:node:...` format). |
There was a problem hiding this comment.
suggested edit: "...they are associated with, such as having a username that does not match the system:node:... format."
docs/admin/authorization/node.md
Outdated
| In some deployments, kubelets have credentials that place them in the `system:nodes` group, | ||
| but do not identify the particular node they are associated with (have a username that does not match the `system:node:...` format). | ||
|
|
||
| These kubelets would not be authorized by the `Node` authorization mode, |
There was a problem hiding this comment.
Perhaps this should be part of the previous paragraph.
docs/admin/authorization/node.md
Outdated
|
|
||
| If a cluster admin wishes to start using the `Node` authorizer and `NodeRestriction` admission plugin | ||
| to limit node access to the API, that can be done non-disruptively: | ||
| 1. Enable the `Node` authorization mode (`--authorization-mode=Node,RBAC`) and the `NodeRestriction` admission plugin |
There was a problem hiding this comment.
These bullet points aren't rendering correctly (see netlify preview). Try adding a newline between lines 57 and 58.
docs/admin/authorization/node.md
Outdated
|
|
||
| In 1.6, the `system:node` cluster role was automatically bound to the `system:nodes` group when using the [RBAC Authorization mode](/docs/admin/authorization/rbac/). | ||
|
|
||
| In 1.7, the automatic binding of the `system:nodes` group to the `system:node` role is deprecated, |
There was a problem hiding this comment.
some of the commas unnecessary: "In 1.7, the automatic binding of the system:nodes group to the system:node role is deprecated because the node authorizer accomplishes the same purpose with the benefit of additional restrictions on secret and configmap access."
|
@liggitt Ping me when the review comments have been addressed and this is ready to be merged. Thx |
|
@liggitt FYI, all feedback must be addressed and LGTMs given by EOD Tue, June 27th so that this can be merged for the 1.7 release on June 28th. |
|
@chenopis updated |
Docs for kubernetes/enhancements#279
This change is