kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add systems:master paragraph

pull/48600/head
Marcelo Giles 2024-10-30 18:09:24 -07:00
parent c37054ee0d
commit cdff2b4b6b
No known key found for this signature in database
GPG Key ID: F79A638016E48DFE
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
content/en/docs/reference/access-authn-authz/authorization.md
View File

@ -152,6 +152,16 @@ You should not use the `AlwaysAllow` mode on a Kubernetes cluster where the API
is reachable from the public internet. is reachable from the public internet.
{{< /warning >}} {{< /warning >}}
### The system:masters group
The `system:masters` group is a built-in Kubernetes group that grants unrestricted
access to the API server. Any user assigned to this group has full cluster administrator
privileges, bypassing any authorization restrictions imposed by the RBAC or Webhook mechanisms.
[Avoid adding users](/docs/concepts/security/rbac-good-practices/#least-privilege)
to this group. If you do need to grant a user cluster-admin rights, you can create a
[ClusterRoleBinding](/docs/reference/access-authn-authz/rbac/#user-facing-roles)
to the built-in `cluster-admin` ClusterRole.
### Authorization mode configuration {#choice-of-authz-config} ### Authorization mode configuration {#choice-of-authz-config}
You can configure the Kubernetes API server's authorizer chain using either You can configure the Kubernetes API server's authorizer chain using either