Page MenuHomePhabricator

Move away from system:node RBAC role
Open, MediumPublic

Description

From https://people.wikimedia.org/~jayme/k8s-docs/v1.16/docs/reference/access-authn-authz/rbac/

system:node
Allows access to resources required by the kubelet component, including read access to all secrets, and write access to all pod status objects. As of 1.7, use of the Node authorizer and NodeRestriction admission plugin is recommended instead of this role, and allow granting API access to kubelets based on the pods scheduled to run on them. Prior to 1.7, this role was automatically bound to the system:nodes group. In 1.7, this role was automatically bound to the system:nodes group if the Node authorization mode is not enabled. In 1.8+, no binding is automatically created.

We currently have a workaround in place that allows us to continue to use system:node: https://gerrit.wikimedia.org/r/plugins/gitiles/operations/deployment-charts/+/refs/heads/master/helmfile.d/admin_ng/helmfile_rbac.yaml#80

Event Timeline

JMeybohm triaged this task as Medium priority.Fri, Jan 14, 5:51 PM
JMeybohm added a project: serviceops.