File tree Expand file tree Collapse file tree
content/en/docs/reference/access-authn-authz Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -152,6 +152,16 @@ You should not use the `AlwaysAllow` mode on a Kubernetes cluster where the API
152152is reachable from the public internet.
153153{{< /warning >}}
154154
155+ ### The system: masters group
156+
157+ The ` system:masters ` group is a built-in Kubernetes group that grants unrestricted
158+ access to the API server. Any user assigned to this group has full cluster administrator
159+ privileges, bypassing any authorization restrictions imposed by the RBAC or Webhook mechanisms.
160+ [ Avoid adding users] ( /docs/concepts/security/rbac-good-practices/#least-privilege )
161+ to this group. If you do need to grant a user cluster-admin rights, you can create a
162+ [ ClusterRoleBinding] ( /docs/reference/access-authn-authz/rbac/#user-facing-roles )
163+ to the built-in ` cluster-admin ` ClusterRole.
164+
155165### Authorization mode configuration {#choice-of-authz-config}
156166
157167You can configure the Kubernetes API server's authorizer chain using either
You can’t perform that action at this time.
0 commit comments