Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking β€œSign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Official v1.29 Release Docs #43082

Merged
merged 173 commits into from
Dec 13, 2023
Merged
Changes from 6 commits
Commits
Show all changes
173 commits
Select commit Hold shift + click to select a range
83bb609
add authorization config documentation
palnabarun Jun 30, 2023
84e4de9
Tracking commit for v1.29 Docs
Rishit-dagli Aug 16, 2023
2ff476c
KEP-3668: Update Service and feature-gate docs for GA
xuzhenglun Aug 29, 2023
ac5112e
Graduate APIListChunking to GA documentation
wojtek-t Aug 31, 2023
d26e66d
Remove alpha environment variable because feature is in beta
ardaguclu Sep 6, 2023
413a994
Merge pull request #42800 from wojtek-t/pagination_ga
k8s-ci-robot Sep 15, 2023
c203889
Merge pull request #42774 from xuzhenglun/dev-1.29
k8s-ci-robot Sep 16, 2023
38baef2
updates hugo.toml for 1.29 release
katcosgrove Sep 17, 2023
ba28234
update CloudDualStackNodeIPs to beta
danwinship Sep 4, 2023
5e449a1
Merge pull request #43083 from katcosgrove/config-toml-1.29
k8s-ci-robot Sep 19, 2023
4af01d0
Merge pull request #42875 from danwinship/kep-3705-beta
k8s-ci-robot Sep 26, 2023
ad943fc
Merge main into dev-1.29 to keep in sync
katcosgrove Oct 6, 2023
a83b56d
Merge pull request #43347 from katcosgrove/merged-main-dev-1.29
k8s-ci-robot Oct 11, 2023
3768e3f
move feature gates CronJobTimeZone, JobMutableNodeSchedulingDirective…
SataQiu Oct 16, 2023
d83c806
add doc for feature LoadBalancerIPMode
RyanAoh Oct 13, 2023
1c73d4a
Introduce of the deprecated FG: MergeCLIArgumentsWithConfig
chendave Oct 16, 2023
bff157a
Merge pull request #43515 from chendave/dev-1.29
k8s-ci-robot Oct 17, 2023
a7d7ebb
Merge pull request #43400 from SataQiu/update-featuregates-20231010
k8s-ci-robot Oct 17, 2023
280a933
Remove RetroactiveDefaultStorageClass feature gate.
Shubham82 Oct 17, 2023
a724145
Revert "Introduce of the deprecated FG: MergeCLIArgumentsWithConfig"
chendave Oct 17, 2023
1d1366e
Merge pull request #43530 from chendave/revert-43515-dev-1.29
k8s-ci-robot Oct 17, 2023
08888c2
Merge pull request #43476 from RyanAoh/dev-1.29
k8s-ci-robot Oct 18, 2023
d485edf
graduate PersistentVolumeLastPhaseTransitionTime to beta in v1.29
RomanBednar Oct 17, 2023
abb8d0b
remove GAed FG DownwardAPIHugePages
pacoxu Oct 18, 2023
bea7fa8
Update feature-gates-removed.md
pacoxu Oct 18, 2023
870b642
Merge pull request #43553 from pacoxu/remove-downward-api-huge-pages
k8s-ci-robot Oct 18, 2023
53a8725
update documentation for component-slis
Oct 18, 2023
d1c38b0
Merge pull request #43518 from Shubham82/remove_RetroactiveDefaultSto…
k8s-ci-robot Oct 18, 2023
5aa6dc7
PodLifecycleSleepAction
AxeZhan Oct 17, 2023
53be005
remove GAed Feature Gate GRPCContainerProbe
pacoxu Oct 18, 2023
057e4d4
kubeadm: EtcdLearnerMode is beta in v1.29
pacoxu Aug 31, 2023
fab6072
update SkipReadOnlyValidationGCE status to Deprecated
pacoxu Oct 19, 2023
f6a7302
Merge pull request #43552 from pacoxu/remove-grpc-container-probe-fg
k8s-ci-robot Oct 19, 2023
4659872
Merge pull request #43574 from pacoxu/deprecate-SkipReadOnlyValidatio…
k8s-ci-robot Oct 19, 2023
a3226de
Merge pull request #43562 from logicalhan/slis-ga
k8s-ci-robot Oct 19, 2023
1711494
Merge pull request #43428 from AxeZhan/sleepAction
k8s-ci-robot Oct 19, 2023
aeeb380
Promote CSINodeExpandSecret feature to GA
humblec Oct 17, 2023
314f5df
Replacement PR for PR 43554 that targets the dev-1.29 branch
reylejano Oct 22, 2023
3218e72
Merge pull request #43633 from reylejano/1.29-remove-topologymanager-…
k8s-ci-robot Oct 22, 2023
0fbfc94
Merge remote-tracking branch 'upstream/main' into dev-1.29
Princesso Oct 25, 2023
25615ec
Device Plugins: add info about beta graduation
bart0sh Oct 11, 2023
d05e393
Merge pull request #43682 from Princesso/merged-main-dev-1.29
Priyankasaggu11929 Oct 28, 2023
a9478b4
kubeadm: introduce documentation changes for super-admin.conf
neolit123 Oct 17, 2023
fe172fc
Add 1.32 removal info for v1beta3 flowcontrol API
liggitt Oct 31, 2023
636f1d8
Merge pull request #43540 from neolit123/1.29-add-super-admin-kubeconfig
k8s-ci-robot Oct 31, 2023
1571a07
add DisableNodeKubeProxyVersion feature gate
HirazawaUi Oct 6, 2023
b034e43
Merge pull request #43535 from humblec/dev-1.29-nodeexpandsecret
k8s-ci-robot Nov 1, 2023
91aa69b
Update v1beta2 flowcontrol guidance
liggitt Nov 1, 2023
e962925
update documented metrics for v1.29
Nov 1, 2023
7db05a8
Merge remote-tracking branch 'upstream/main' into dev-1.29
drewhagen Nov 2, 2023
2de5b8f
Merge pull request #43789 from drewhagen/merged-main-dev-1.29
k8s-ci-robot Nov 2, 2023
5e8aebc
Merge pull request #43532 from RomanBednar/pv-last-phase-transition-t…
k8s-ci-robot Nov 3, 2023
9af50f2
Merge pull request #42801 from pacoxu/update-kubeadm-fgs
k8s-ci-robot Nov 3, 2023
7373138
Docs update for Job Backoff Limit Per Index in Beta
mimowo Oct 9, 2023
6886cad
Docs update about JobReadyPods graduated to GA
mimowo Nov 3, 2023
c71a216
update docs to promote PodReadyToStartContainersCondition into beta
charles-chenzz Oct 17, 2023
270468a
Merge remote-tracking branch 'upstream/main' into dev-1.29
katcosgrove Nov 6, 2023
6fde663
Merge pull request #43838 from katcosgrove/merged-main-dev-1.29
k8s-ci-robot Nov 6, 2023
aa48ad5
Merge pull request #43387 from mimowo/pods-ready-ga
k8s-ci-robot Nov 7, 2023
7fe30f5
Merge pull request #43388 from mimowo/backoff-limit-per-index-beta
k8s-ci-robot Nov 7, 2023
fff0693
Merge pull request #42907 from ardaguclu/kep-3895-promote-beta
k8s-ci-robot Nov 9, 2023
97a1c74
v1.29: kubeadm skew policy for kubelet is n-3
pacoxu Nov 1, 2023
ddb784a
certificates.md: add note about system:masters in apiserver cert
neolit123 Nov 10, 2023
0ebfe8b
Merge pull request #43769 from pacoxu/kubeadm-kubelet-skew-policy
k8s-ci-robot Nov 10, 2023
3be75f2
Graduate JobPodReplacementPolicy to beta
alculquicondor Oct 17, 2023
c55e6f2
Merge pull request #43870 from neolit123/1.29-fix-system-masters-apis…
k8s-ci-robot Nov 13, 2023
9e36b6c
Merge pull request #43529 from alculquicondor/replacement_beta
k8s-ci-robot Nov 13, 2023
725f68f
dra: warn about scheduling performance
pohly Nov 13, 2023
4efddf9
Merge pull request #43907 from pohly/dra-scheduling-impact
k8s-ci-robot Nov 14, 2023
d820f2b
add CRDValidationRatcheting 1.29 docs
alexzielenski Oct 18, 2023
407407e
Placeholder for KEP-4006
seans3 Oct 20, 2023
fb1bd22
Merge main into dev-1.29 to keep in sync
katcosgrove Nov 14, 2023
b1d5b82
remove MultiCIDRRangeAllocator
aojea Nov 14, 2023
f4d41c2
Merge pull request #43941 from aojea/cluster_cidr_remove
k8s-ci-robot Nov 14, 2023
8f7cfdb
modifying docs for SidecarContainers beta graduation (#43471)
matthyx Nov 15, 2023
7899eb0
Merge pull request #43938 from katcosgrove/merged-main-dev-1.29
k8s-ci-robot Nov 15, 2023
16fb2e6
Promote CRD validation rules to GA
cici37 Oct 11, 2023
cfbe80d
Merge pull request #43441 from cici37/2876-1.29
k8s-ci-robot Nov 16, 2023
50ea975
update pod-lifecycle.md to reflect the state of podreadytostartcontainer
charles-chenzz Nov 16, 2023
e109ce7
first round of comment address
charles-chenzz Nov 16, 2023
42c9e4e
KEP-4193: bound service account token improvements
enj Nov 15, 2023
bcb527b
Add LegacyServiceAccountTokenCleanUp feature to beta
yt2985 Oct 28, 2023
301fccd
Merge pull request #43778 from logicalhan/inst-docs
k8s-ci-robot Nov 17, 2023
43c7d05
Merge pull request #43958 from enj/enj/d/sa_node_ref
k8s-ci-robot Nov 17, 2023
8598729
update docs for KMSv2 and KMSv2KDF stable
aramase Oct 10, 2023
b8b45ee
Merge pull request #43620 from seans3/kep-4006-docs
k8s-ci-robot Nov 18, 2023
f893a19
Resolved merge conflict when merging main into dev-1.29 branch
Princesso Nov 19, 2023
5627db2
add documentation for AuthorizationConfiguration
palnabarun Nov 20, 2023
2ec25fb
add: the doc for matchLabelKeys/mismatchLabelKeys in pod (anti)affini…
sanposhiho Nov 20, 2023
8b9f3f8
review feedback
aramase Nov 17, 2023
9681b5d
Merge pull request #43999 from Princesso/merged-main-dev-1.29
k8s-ci-robot Nov 20, 2023
a8d08be
third round of comment address
charles-chenzz Nov 20, 2023
92a8fce
Merge pull request #43398 from aramase/aramase/d/kep_3299_stable_doc_…
k8s-ci-robot Nov 21, 2023
6dd3091
ClusterTrustBundles: Document projected volumes
ahmedtd Oct 20, 2023
c07ce39
Graduate ReadWriteOncePod to GA
chrishenzie Oct 10, 2023
01e6f31
add docs for StructuredAuthenticationConfig v1alpha1
aramase Oct 10, 2023
394db54
Decouple TaintManager from NodeLifeCycleController (KEP-3902)
atosatto Jul 10, 2023
99df3a3
Merge pull request #43600 from ahmedtd/ctb-projection
k8s-ci-robot Nov 21, 2023
fdf935b
Docs update for Beta PodHostIPs
wzshiming Nov 1, 2023
1056863
Update from code review
palnabarun Nov 22, 2023
421821d
Merge pull request #43563 from yt2985/dev-1.29
k8s-ci-robot Nov 22, 2023
1c3945f
apiserver: update APF documentation for GA
tkashem Nov 22, 2023
dc15c69
Merge pull request #43435 from bart0sh/PR029-Add-CDI-devices-to-devic…
k8s-ci-robot Nov 22, 2023
2d9fbc1
Merge remote-tracking branch 'upstream/main' into dev-1.29
katcosgrove Nov 22, 2023
fca3489
Merge pull request #44040 from katcosgrove/merged-main-dev-1.29
k8s-ci-robot Nov 22, 2023
03e2976
Add more context to downgrade example
palnabarun Nov 24, 2023
4c4a07f
Merge remote-tracking branch 'upstream/main' into dev-1.29
taniaduggal Nov 24, 2023
da5638c
Merge pull request #43417 from chrishenzie/readwriteoncepod-ga
k8s-ci-robot Nov 25, 2023
a4fd1da
Merge pull request #44069 from taniaduggal/merged-main-dev-1.29
k8s-ci-robot Nov 26, 2023
edddb55
KEP 4216: Doc changes for image pull per runtime class
kiashok Oct 17, 2023
8ff9e80
Merge pull request #43555 from atosatto/tec-dev-1.29
k8s-ci-robot Nov 26, 2023
21ac70e
Wrap markdown text
palnabarun Nov 27, 2023
123973c
Merge pull request #41892 from palnabarun/authz-config-docs
k8s-ci-robot Nov 27, 2023
cb04844
Merge pull request #44028 from kiashok/docs-kep4216-dev1.29
k8s-ci-robot Nov 27, 2023
6440c16
Merge remote-tracking branch 'upstream/main' into dev-1.29
katcosgrove Nov 27, 2023
4a17ee3
Merge pull request #43533 from charles-chenzz/dev-1.29
k8s-ci-robot Nov 27, 2023
a3a4666
Merge pull request #43448 from wzshiming/kep-2681
k8s-ci-robot Nov 27, 2023
1beb062
Merge pull request #44106 from katcosgrove/merged-main-dev-1.29
k8s-ci-robot Nov 27, 2023
75e93c6
Document the nftables kube-proxy mode.
danwinship Oct 19, 2023
41e0c2f
jpbetz feedback
Nov 27, 2023
6f44e15
typo fix
Nov 27, 2023
fdcd1f6
Merge pull request #43560 from alexzielenski/4008-beta
k8s-ci-robot Nov 27, 2023
d5466c3
Merge pull request #43588 from danwinship/kep-3866-nftables-proxy-alpha
k8s-ci-robot Nov 27, 2023
74caa0d
review feedback
aramase Nov 27, 2023
d6f0778
Remove description of how iptables kube-proxy differs from userspace
danwinship Nov 26, 2023
b34bf12
garbage collection: add blurb about ImageMaximumGCAge
haircommander Nov 14, 2023
7c2f5c4
Merge pull request #43397 from aramase/aramase/d/kep_3331_v1alpha1_do…
k8s-ci-robot Nov 28, 2023
90c282e
kep-2305: document dynamic cardinality enforcement
rexagod Nov 13, 2023
8ff7614
Merge pull request #43348 from HirazawaUi/add-DisableNodeKubeProxyVer…
k8s-ci-robot Nov 28, 2023
d608006
Merge pull request #41998 from rexagod/document-kep-2305
k8s-ci-robot Nov 28, 2023
4e156c7
Add documentation about user namespaces and PSS
saschagrunert Nov 3, 2023
445b03d
Merge pull request #43544 from haircommander/image-max-gc
k8s-ci-robot Nov 28, 2023
6f2db0b
Change font size for image pull per runtime doc
kiashok Nov 28, 2023
398961a
Merge pull request #43749 from liggitt/deprecated-1-29
k8s-ci-robot Nov 28, 2023
62ab7c4
Merge pull request #43946 from tkashem/apf-v1-doc
k8s-ci-robot Nov 28, 2023
57ae1bd
Merge pull request #44124 from kiashok/docs-kep4216-2-dev1.29
k8s-ci-robot Nov 28, 2023
8a29190
Merge pull request #43803 from kinvolk/dev-1.29-user-namespaces-pss
k8s-ci-robot Nov 28, 2023
8ccd0cc
Add Documentation for VolumeAttributesClass KEP-3751
sunnylovestiramisu Oct 13, 2023
b90698e
Update Based on Comments - Nov 27
sunnylovestiramisu Nov 28, 2023
058e522
Update Based on Comments - Nov 28
sunnylovestiramisu Nov 28, 2023
a3351b5
Merge pull request #43463 from sunnylovestiramisu/dev-1.29
k8s-ci-robot Nov 28, 2023
dff94b8
KEP-1880 Multiple ServiceCIDR
aojea Nov 25, 2023
0401617
Merge pull request #43469 from aojea/placeholder_kep1880
k8s-ci-robot Nov 29, 2023
c7d2933
Update information about CronJob's unsupported time zone field
soltysh Oct 23, 2023
1ea312d
Revise docs for API tracking of IP address assignment
sftim Nov 29, 2023
387192d
Fix style nits
sftim Nov 29, 2023
60a0a66
Add 1.29 to release schedule for 1.29 release
katcosgrove Nov 29, 2023
ac0ebfa
Merge pull request #43654 from soltysh/tz_validation
k8s-ci-robot Nov 29, 2023
b9b22e3
Merge pull request #44127 from sftim/20231129_revise_vips_api_ipam
k8s-ci-robot Nov 29, 2023
deaf1b9
Merge remote-tracking branch 'upstream/main' into dev-1.29
drewhagen Nov 29, 2023
00e0202
Merge pull request #44140 from drewhagen/merged-main-dev-1.29
k8s-ci-robot Nov 30, 2023
8dc0806
Link PSS to User Namespaces
saschagrunert Nov 30, 2023
41135ad
Merge pull request #44156 from saschagrunert/dev-1.29-user-namespaces…
k8s-ci-robot Nov 30, 2023
cf47dab
Fix redundancy in kube-proxy iptables and ipvs docs
danwinship Nov 27, 2023
9795352
UnauthenticatedHTTP2DOSMitigation default in 1.29 is set to true
troy0820 Dec 1, 2023
d5c5300
Clarify iptables performance slightly
danwinship Nov 27, 2023
ce56b7a
Merge pull request #44110 from danwinship/proxy-refactor
k8s-ci-robot Dec 1, 2023
dd5be8b
updating dates to reflect delayed release
katcosgrove Dec 1, 2023
f6b5c5f
Merge pull request #44177 from troy0820/troy0820/update-feature-gate-…
k8s-ci-robot Dec 3, 2023
45fb394
Merge main into dev-1.29 to maintain sync
katcosgrove Dec 7, 2023
9b007ed
Merge pull request #44252 from katcosgrove/merged-main-dev-1.29
k8s-ci-robot Dec 7, 2023
0f9c965
Merge branch 'main' into dev-1.29
sftim Dec 9, 2023
58a6a19
Merge pull request #44286 from sftim/20231209_dev_1.29_sync
k8s-ci-robot Dec 10, 2023
405985d
Updates v1.29 hugo.toml to include latest patches ahead of release
katcosgrove Dec 11, 2023
38d537b
Update data/releases/schedule.yaml
katcosgrove Dec 11, 2023
d2004ab
Merge pull request #44135 from katcosgrove/patch-release-schedule
k8s-ci-robot Dec 11, 2023
e57cf32
Merge 'dev-1.29' with main
sftim Dec 11, 2023
cada199
Merge pull request #44305 from sftim/20231211_dev_1.29_merge_main
k8s-ci-robot Dec 11, 2023
d60ddf8
Merge pull request #44303 from katcosgrove/update-1.29-hugo.toml
sftim Dec 12, 2023
2520994
Feature gate SchedulerQueueingHints is disabled by default
sanposhiho Dec 13, 2023
bad6aa4
Update content/en/docs/reference/command-line-tools-reference/feature…
katcosgrove Dec 13, 2023
9010b97
Revise message
sftim Dec 13, 2023
5682790
Merge pull request #44316 from sanposhiho/qhint-fix
katcosgrove Dec 13, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
138 changes: 137 additions & 1 deletion content/en/docs/reference/access-authn-authz/authorization.md
Original file line number Diff line number Diff line change
@@ -209,6 +209,143 @@ The following flags can be used:
You can choose more than one authorization module. Modules are checked in order
so an earlier module has higher priority to allow or deny a request.

## Configuring the API Server using an Authorization Config File

{{< feature-state state="alpha" for_k8s_version="v1.29" >}}

The Kubernetes API server's authorizer chain can be configured using a
configuration file.

You specify the path to that authorization configuration using the
`--authorization-config` command line argument. This feature enables
creation of authorization chains with multiple webhooks with well-defined
parameters that validate requests in a certain order and enables fine grained
control - such as explicit Deny on failures. An example configuration with
all possible values is provided below.

In order to customise the authorizer chain, you need to enable the
`StructuredAuthorizationConfiguration` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/).

Note: When the feature is enabled, setting both `--authorization-config` and
configuring an authorization webhook using the `--authorization-mode` and
`--authorization-webhook-*` command line flags is not allowed. If done, there
will be an error and API Server would exit right away.

{{< caution >}}
While the feature is in Alpha/Beta, there is no change if you want to keep on
using command line flags. When the feature goes Beta, the feature flag would
be turned on by default. The feature flag would be removed when feature goes GA.

When configuring the authorizer chain using a config file, make sure all the
apiserver nodes have the file. Also, take a note of the apiserver configuration
when upgrading/downgrading the clusters. For example, if upgrading to v1.29+
clusters and using the config file, you would need to make sure the config file
exists before upgrading the cluster. When downgrading to v1.28, you would need
to add the flags back to their bootstrap mechanism.
{{< /caution >}}

```yaml
#
# DO NOT USE THE CONFIG AS IS. THIS IS AN EXAMPLE.
#
apiVersion: apiserver.config.k8s.io/v1alpha1
kind: AuthorizationConfiguration
# authorizers are defined in order of precedence
authorizers:
- type: Webhook
# Name used to describe the authorizer
# This is explicitly used in monitoring machinery for metrics
# Note:
# - Validation for this field is similar to how K8s labels are validated today.
# Required, with no default
name: webhook
webhook:
# The duration to cache 'authorized' responses from the webhook
# authorizer.
# Same as setting `--authorization-webhook-cache-authorized-ttl` flag
# Default: 5m0s
authorizedTTL: 30s
# The duration to cache 'unauthorized' responses from the webhook
# authorizer.
# Same as setting `--authorization-webhook-cache-unauthorized-ttl` flag
# Default: 30s
unauthorizedTTL: 30s
# Timeout for the webhook request
# Maximum allowed is 30s.
# Required, with no default.
timeout: 3s
# The API version of the authorization.k8s.io SubjectAccessReview to
# send to and expect from the webhook.
# Same as setting `--authorization-webhook-version` flag
# Required, with no default
# Valid values: v1beta1, v1
subjectAccessReviewVersion: v1
# MatchConditionSubjectAccessReviewVersion specifies the SubjectAccessReview
# version the CEL expressions are evaluated against
# Valid values: v1
# Required only if matchConditions are specified, no default value
matchConditionSubjectAccessReviewVersion: v1
# Controls the authorization decision when a webhook request fails to
# complete or returns a malformed response or errors evaluating
# matchConditions.
# Valid values:
# - NoOpinion: continue to subsequent authorizers to see if one of
# them allows the request
# - Deny: reject the request without consulting subsequent authorizers
# Required, with no default.
failurePolicy: Deny
connectionInfo:
# Controls how the webhook should communicate with the server.
# Valid values:
# - KubeConfig: use the file specified in kubeConfigFile to locate the
# server.
# - InClusterConfig: use the in-cluster configuration to call the
# SubjectAccessReview API hosted by kube-apiserver. This mode is not
# allowed for kube-apiserver.
type: KubeConfig
# Path to KubeConfigFile for connection info
# Required, if connectionInfo.Type is KubeConfig
kubeConfigFile: /kube-system-authz-webhook.yaml
# matchConditions is a list of conditions that must be met for a request to be sent to this
# webhook. An empty list of matchConditions matches all requests.
# There are a maximum of 64 match conditions allowed.
#
# The exact matching logic is (in order):
# 1. If at least one matchCondition evaluates to FALSE, then the webhook is skipped.
# 2. If ALL matchConditions evaluate to TRUE, then the webhook is called.
# 3. If at least one matchCondition evaluates to an error (but none are FALSE):
# - If failurePolicy=Deny, then the webhook rejects the request
# - If failurePolicy=NoOpinion, then the error is ignored and the webhook is skipped
matchConditions:
# expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
# CEL expressions have access to the contents of the SubjectAccessReview in v1 version.
# If version specified by subjectAccessReviewVersion in the request variable is v1beta1,
# the contents would be converted to the v1 version before evaluating the CEL expression.
#
# Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
#
# only send resource requests to the webhook
- expression: has(request.resourceAttributes)
# only intercept requests to kube-system
- expression: request.resourceAttributes.namespace == 'kube-system'
# don't intercept requests from kube-system service accounts
- expression: !('system:serviceaccounts:kube-system' in request.user.groups)
- type: Node
name: node
- type: RBAC
name: rbac
- type: Webhook
name: in-cluster-authorizer
webhook:
authorizedTTL: 5m
unauthorizedTTL: 30s
timeout: 3s
subjectAccessReviewVersion: v1
failurePolicy: NoOpinion
connectionInfo:
type: InClusterConfig
```

## Privilege escalation via workload creation or edits {#privilege-escalation-via-pod-creation}

Users who can create/edit pods in a namespace, either directly or through a [controller](/docs/concepts/architecture/controller/)
@@ -241,4 +378,3 @@ This should be considered when deciding on your RBAC controls.

* To learn more about Authentication, see **Authentication** in [Controlling Access to the Kubernetes API](/docs/concepts/security/controlling-access/).
* To learn more about Admission Control, see [Using Admission Controllers](/docs/reference/access-authn-authz/admission-controllers/).