mirror of https://github.com/k3s-io/k3s
c0a3d26746
Automatic merge from submit-queue Remove e2e-rbac-bindings. Replace todo-grabbag binding w/ more specific heapster roles/bindings. Move kubelet binding. **What this PR does / why we need it**: The "e2e-rbac-bindings" held 2 leftovers from the 1.6 RBAC rollout process: - One is the "kubelet-binding" which grants the "system:node" role to kubelet. This is needed until we enable the node authorizer. I moved this to the folder w/ some other kubelet related bindings. - The other is the "todo-remove-grabbag-cluster-admin" binding, which grants the cluster-admin role to the default service account in the kube-system namespace. This appears to only be required for heapster. Heapster will instead use a "heapster" service account, bound to a "system:heapster" role on the cluster (no write perms), and a "system:pod-nanny" role in the kube-system namespace. **Which issue this PR fixes**: Addresses part of #39990 **Release Note**: ```release-note New and upgraded 1.7 GCE/GKE clusters no longer have an RBAC ClusterRoleBinding that grants the `cluster-admin` ClusterRole to the `default` service account in the `kube-system` namespace. If this permission is still desired, run the following command to explicitly grant it, either before or after upgrading to 1.7: kubectl create clusterrolebinding kube-system-default --serviceaccount=kube-system:default --clusterrole=cluster-admin ``` |
||
|---|---|---|
| .. | ||
| container-linux | ||
| debian | ||
| gci | ||
| BUILD | ||
| OWNERS | ||
| config-common.sh | ||
| config-default.sh | ||
| config-test.sh | ||
| configure-vm.sh | ||
| cos | ||
| delete-stranded-load-balancers.sh | ||
| list-resources.sh | ||
| ubuntu | ||
| upgrade.sh | ||
| util.sh | ||