We currently have a lot of users in `profile::kubernetes::master::infrastructure_users:` (private puppet) referring to groups that don't actually exist ("deploy" and "calico").
In Kubernetes, groups (apart from default groups that start with `system:`) "arise" from ClusterRoleBinding or RoleBinding objects with a subjects referring to them, e.g.:
``` lang=yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: api-metrics
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: api-metrics
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: api-metrics
```
While there will not be an Group API object, the reference to a Group named `api-metrics` allows for users in the token file [1] to use that group and be granted permissions according to the above ClusterRoleBinding (that is, those of the ClusterRole `api-metrics`).
That said, we don't have such Bindings for "deploy" or "calico" and so we should remove those groups from the users to not cause further confusion.
If someone wants a list of "groups available in the cluster", that can be generated by something like: https://phabricator.wikimedia.org/P14374$11
[1] https://people.wikimedia.org/~jayme/k8s-docs/v1.16/docs/reference/access-authn-authz/authentication/#static-token-file