Merge pull request #48487 from ritazh/kep_3221_ga

k8s-ci-robot · web-flow · commit d8dbc916c423 · 2024-11-19T13:30:53.000Z
KEP-3221: remove mentions of beta and featuregate, and change order of cmd line
diff --git a/content/en/docs/reference/access-authn-authz/authorization.md b/content/en/docs/reference/access-authn-authz/authorization.md
@@ -165,41 +165,14 @@ to the built-in `cluster-admin` ClusterRole.
 ### Authorization mode configuration {#choice-of-authz-config}
 
 You can configure the Kubernetes API server's authorizer chain using either
-[command line arguments](#using-flags-for-your-authorization-module) only or, as a beta feature,
-using a [configuration file](#using-configuration-file-for-authorization).
+a [configuration file](#using-configuration-file-for-authorization) only or
+[command line arguments](#using-flags-for-your-authorization-module).
 
 You have to pick one of the two configuration approaches; setting both `--authorization-config`
 path and configuring an authorization webhook using the `--authorization-mode` and
 `--authorization-webhook-*` command line arguments is not allowed.
 If you try this, the API server reports an error message during startup, then exits immediately.
 
-### Command line authorization mode configuration {#using-flags-for-your-authorization-module}
-
-{{< feature-state state="stable" for_k8s_version="v1.8" >}}
-
-You can use the following modes:
-
-* `--authorization-mode=ABAC` (Attribute-based access control mode)
-* `--authorization-mode=RBAC` (Role-based access control mode)
-* `--authorization-mode=Node` (Node authorizer)
-* `--authorization-mode=Webhook` (Webhook authorization mode)
-* `--authorization-mode=AlwaysAllow` (always allows requests; carries [security risks](#warning-always-allow))
-* `--authorization-mode=AlwaysDeny` (always denies requests)
-
-You can choose more than one authorization mode; for example:
-`--authorization-mode=Node,RBAC,Webhook`
-
-Kubernetes checks authorization modules based on the order that you specify them
-on the API server's command line, so an earlier module has higher priority to allow
-or deny a request.
-
-You cannot combine the `--authorization-mode` command line argument with the
-`--authorization-config` command line argument used for
-[configuring authorization using a local file](#using-configuration-file-for-authorization-mode).
-
-For more information on command line arguments to the API server, read the
-[`kube-apiserver` reference](/docs/reference/command-line-tools-reference/kube-apiserver/).
-
 <!-- keep legacy hyperlinks working -->
 <a id="configuring-the-api-server-using-an-authorization-config-file" />
 
@@ -347,6 +320,31 @@ A reload **must not** add or remove Node or RBAC authorizers (they can be reorde
 but cannot be added or removed).
 {{< /note >}}
 
+### Command line authorization mode configuration {#using-flags-for-your-authorization-module}
+
+You can use the following modes:
+
+* `--authorization-mode=ABAC` (Attribute-based access control mode)
+* `--authorization-mode=RBAC` (Role-based access control mode)
+* `--authorization-mode=Node` (Node authorizer)
+* `--authorization-mode=Webhook` (Webhook authorization mode)
+* `--authorization-mode=AlwaysAllow` (always allows requests; carries [security risks](#warning-always-allow))
+* `--authorization-mode=AlwaysDeny` (always denies requests)
+
+You can choose more than one authorization mode; for example:
+`--authorization-mode=Node,RBAC,Webhook`
+
+Kubernetes checks authorization modules based on the order that you specify them
+on the API server's command line, so an earlier module has higher priority to allow
+or deny a request.
+
+You cannot combine the `--authorization-mode` command line argument with the
+`--authorization-config` command line argument used for
+[configuring authorization using a local file](#using-configuration-file-for-authorization-mode).
+
+For more information on command line arguments to the API server, read the
+[`kube-apiserver` reference](/docs/reference/command-line-tools-reference/kube-apiserver/).
+
 ## Privilege escalation via workload creation or edits {#privilege-escalation-via-pod-creation}
 
 Users who can create/edit pods in a namespace, either directly or through an object that
