From 974c38240fc495086f6e7ebfa02aeb4fed48d20c Mon Sep 17 00:00:00 2001 From: Jake Sanders Date: Wed, 27 Feb 2019 16:23:22 -0800 Subject: [PATCH 1/2] Document changes to default RBAC discovery ClusterRole(Binding)s Documentation for https://github.com/kubernetes/enhancements/issues/789 and https://github.com/kubernetes/kubernetes/pull/73807 --- content/en/docs/reference/access-authn-authz/rbac.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/content/en/docs/reference/access-authn-authz/rbac.md b/content/en/docs/reference/access-authn-authz/rbac.md index b90509b924341..cba4e4d13f2a4 100644 --- a/content/en/docs/reference/access-authn-authz/rbac.md +++ b/content/en/docs/reference/access-authn-authz/rbac.md @@ -462,6 +462,8 @@ kubectl get clusterroles system:discovery -o yaml NOTE: editing the role is not recommended as changes will be overwritten on API server restart via auto-reconciliation (see above). +As of Kubernetes version 1.14+, the default RBAC discovery ClusterRoles are: + @@ -471,14 +473,19 @@ NOTE: editing the role is not recommended as changes will be overwritten on API - + - + + + + + +
system:basic-usersystem:authenticated and system:unauthenticated groupssystem:authenticated group Allows a user read-only access to basic information about themselves.
system:discoverysystem:authenticated and system:unauthenticated groupssystem:authenticated group Allows read-only access to API discovery endpoints needed to discover and negotiate an API level.
system:public-info-viewersystem:authenticated and system:unauthenticated groupsAllows read-only access to non-sensitive information about the cluster.
### User-facing Roles From bbc86e07a565e3fe302770d3812da935fe87ddd0 Mon Sep 17 00:00:00 2001 From: Jake Sanders Date: Mon, 4 Mar 2019 15:28:28 -0800 Subject: [PATCH 2/2] documentation review feedback --- content/en/docs/reference/access-authn-authz/rbac.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/content/en/docs/reference/access-authn-authz/rbac.md b/content/en/docs/reference/access-authn-authz/rbac.md index cba4e4d13f2a4..0b99331e5d3ce 100644 --- a/content/en/docs/reference/access-authn-authz/rbac.md +++ b/content/en/docs/reference/access-authn-authz/rbac.md @@ -462,8 +462,6 @@ kubectl get clusterroles system:discovery -o yaml NOTE: editing the role is not recommended as changes will be overwritten on API server restart via auto-reconciliation (see above). -As of Kubernetes version 1.14+, the default RBAC discovery ClusterRoles are: - @@ -474,17 +472,17 @@ As of Kubernetes version 1.14+, the default RBAC discovery ClusterRoles are: - + - + - +
system:basic-user system:authenticated groupAllows a user read-only access to basic information about themselves.Allows a user read-only access to basic information about themselves. Prior to 1.14, this role was also bound to `system:unauthenticated` by default.
system:discovery system:authenticated groupAllows read-only access to API discovery endpoints needed to discover and negotiate an API level.Allows read-only access to API discovery endpoints needed to discover and negotiate an API level. Prior to 1.14, this role was also bound to `system:unauthenticated` by default.
system:public-info-viewer system:authenticated and system:unauthenticated groupsAllows read-only access to non-sensitive information about the cluster.Allows read-only access to non-sensitive information about the cluster. Introduced in 1.14.