kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

rbac: add information on unauthenticated discovery roles (#10212) 

The Product Security Team got a report about these unauthenticated
discovery roles. The reporter was surprised about getting 200 requests
when unauthenticated. And given the light documentation on the intention
of these roles it is justifiable.

Increase documentation on these roles.
pull/10217/head
Brandon Philips 2018-09-06 18:28:08 -07:00 committed by k8s-ci-robot
parent 2917c69b2d
commit 47d4c63bfd
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
content/en/docs/reference/access-authn-authz/rbac.md
View File

@ -452,6 +452,16 @@ Auto-reconciliation is enabled in Kubernetes version 1.6+ when the RBAC authoriz
### Discovery Roles
Default role bindings authorize unauthenticated and authenticated users to read API information that is deemed safe to be publicly accessible. To disable anonymous unauthenticated access add `--anonymous-auth=false` to the API server configuration.
To view the configuration of these roles via `kubectl` run:
```
kubectl get clusterroles system:discovery -o yaml
```
NOTE: editing the role is not recommended as changes will be overwritten on API server restart via auto-reconciliation (see above).
<table>
<colgroup><col width="25%"><col width="25%"><col></colgroup>
<tr>