Skip to content

Commit ca7e03f

Browse files
devin-donnellydevin-donnelly
authored
Merge pull request kubernetes#1714 from bacongobbler/rbac-move-superuser-flag
move "Privilege Escalation Prevention and Bootstrapping closer
2 parents 2f26823 + fdf250f commit ca7e03f

File tree

1 file changed

+23
-23
lines changed

1 file changed

+23
-23
lines changed

docs/admin/authorization.md

Lines changed: 23 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -207,6 +207,29 @@ and [enable the API version](
207207
/docs/admin/cluster-management/#turn-on-or-off-an-api-version-for-your-cluster),
208208
with a `--runtime-config=` that includes `rbac.authorization.k8s.io/v1alpha1`.
209209

210+
### Privilege Escalation Prevention and Bootstrapping
211+
212+
The `rbac.authorization.k8s.io` API group inherently attempts to prevent users
213+
from escalating privileges. Simply put, __a user can't grant permissions they
214+
don't already have even when the RBAC authorizer it disabled__. If "user-1"
215+
does not have the ability to read secrets in "namespace-a", they cannot create
216+
a binding that would grant that permission to themselves or any other user.
217+
218+
For bootstrapping the first roles, it becomes necessary for someone to get
219+
around these limitations. For the alpha release of RBAC, an API Server flag was
220+
added to allow one user to step around all RBAC authorization and privilege
221+
escalation checks. NOTE: _This is subject to change with future releases._
222+
223+
```
224+
--authorization-rbac-super-user=admin
225+
```
226+
227+
Once set the specified super user, in this case "admin", can be used to create
228+
the roles and role bindings to initialize the system.
229+
230+
This flag is optional and once the initial bootstrapping is performed can be
231+
unset.
232+
210233
### Roles, RolesBindings, ClusterRoles, and ClusterRoleBindings
211234

212235
The RBAC API Group declares four top level types which will be covered in this
@@ -417,29 +440,6 @@ subjects:
417440
name: system:serviceaccounts
418441
```
419442

420-
### Privilege Escalation Prevention and Bootstrapping
421-
422-
The `rbac.authorization.k8s.io` API group inherently attempts to prevent users
423-
from escalating privileges. Simply put, __a user can't grant permissions they
424-
don't already have even when the RBAC authorizer it disabled__. If "user-1"
425-
does not have the ability to read secrets in "namespace-a", they cannot create
426-
a binding that would grant that permission to themselves or any other user.
427-
428-
For bootstrapping the first roles, it becomes necessary for someone to get
429-
around these limitations. For the alpha release of RBAC, an API Server flag was
430-
added to allow one user to step around all RBAC authorization and privilege
431-
escalation checks. NOTE: _This is subject to change with future releases._
432-
433-
```
434-
--authorization-rbac-super-user=admin
435-
```
436-
437-
Once set the specified super user, in this case "admin", can be used to create
438-
the roles and role bindings to initialize the system.
439-
440-
This flag is optional and once the initial bootstrapping is performed can be
441-
unset.
442-
443443
## Webhook Mode
444444

445445
When specified, mode `Webhook` causes Kubernetes to query an outside REST

0 commit comments

Comments
 (0)