We currently have a lot of users in profile::kubernetes::master::infrastructure_users: (private puppet) referring to groups that don't actually exist ("deploy" and "calico").
In Kubernetes, groups (apart from default groups that start with system:) "arise" from ClusterRoleBinding or RoleBinding objects with a subjects referring to them, e.g.:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: api-metrics roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: api-metrics subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: api-metrics
While there will not be an Group API object, the reference to a Group named api-metrics allows for users in the token file [1] to use that group and be granted permissions according to the above ClusterRoleBinding (that is, those of the ClusterRole api-metrics).
That said, we don't have such Bindings for "deploy" or "calico" and so we should remove those groups from the users to not cause further confusion.
If someone wants a list of "groups available in the cluster", that can be generated by something like: https://wikitech.wikimedia.org/wiki/Kubernetes/Kubectl/Cheat_Sheet#List_all_RBAC_%22Groups%22_referenced_in_the_cluster