You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/en/docs/reference/access-authn-authz/node.md
-26Lines changed: 0 additions & 26 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -70,29 +70,3 @@ and would need to continue to be authorized via whatever mechanism currently aut
70
70
The `NodeRestriction` admission plugin would ignore requests from these kubelets,
71
71
since the default node identifier implementation would not consider that a node identity.
72
72
73
-
### Upgrades from previous versions using RBAC
74
-
75
-
Upgraded pre-1.7 clusters using [RBAC](/docs/reference/access-authn-authz/rbac/) will continue functioning as-is because the `system:nodes` group binding will already exist.
76
-
77
-
If a cluster admin wishes to start using the `Node` authorizer and `NodeRestriction` admission plugin
78
-
to limit node access to the API, that can be done non-disruptively:
79
-
80
-
1. Enable the `Node` authorization mode (`--authorization-mode=Node,RBAC`) and the `NodeRestriction` admission plugin
81
-
2. Ensure all kubelets' credentials conform to the group/username requirements
82
-
3. Audit apiserver logs to ensure the `Node` authorizer is not rejecting requests from kubelets (no persistent `NODE DENY` messages logged)
83
-
4. Delete the `system:node` cluster role binding
84
-
85
-
### RBAC Node Permissions
86
-
87
-
In 1.6, the `system:node` cluster role was automatically bound to the `system:nodes` group when using the [RBAC Authorization mode](/docs/reference/access-authn-authz/rbac/).
88
-
89
-
In 1.7, the automatic binding of the `system:nodes` group to the `system:node` role is deprecated
90
-
because the node authorizer accomplishes the same purpose with the benefit of additional restrictions
91
-
on secret and configmap access. If the `Node` and `RBAC` authorization modes are both enabled,
92
-
the automatic binding of the `system:nodes` group to the `system:node` role is not created in 1.7.
93
-
94
-
In 1.8, the binding will not be created at all.
95
-
96
-
When using RBAC, the `system:node` cluster role will continue to be created,
97
-
for compatibility with deployment methods that bind other users or groups to that role.
0 commit comments