Merge pull request kubernetes#50145 from tengqm/kubelet-authz

k8s-ci-robot · web-flow · commit f9be9a248c31 · 2025-03-30T10:24:35.000-07:00
Mention the builtin clusterrole in kubelet authorization
diff --git a/content/en/docs/reference/access-authn-authz/kubelet-authn-authz.md b/content/en/docs/reference/access-authn-authz/kubelet-authn-authz.md
@@ -100,7 +100,6 @@ Kubelet API   | resource | subresource
 /stats/\*     | nodes    | stats
 /metrics/\*   | nodes    | metrics
 /logs/\*      | nodes    | log
-/spec/\*      | nodes    | spec
 /pods         | nodes    | pods, proxy
 /runningPods/ | nodes    | pods, proxy
 /healthz      | nodes    | healthz, proxy
@@ -115,8 +114,12 @@ flags passed to the API server is authorized for the following attributes:
 * verb=\*, resource=nodes, subresource=proxy
 * verb=\*, resource=nodes, subresource=stats
 * verb=\*, resource=nodes, subresource=log
-* verb=\*, resource=nodes, subresource=spec
 * verb=\*, resource=nodes, subresource=metrics
 * verb=\*, resource=nodes, subresource=configz
 * verb=\*, resource=nodes, subresource=healthz
 * verb=\*, resource=nodes, subresource=pods
+
+If [RBAC authorization](/docs/reference/access-authn-authz/rbac/) is used,
+enabling this gate also ensure that the builtin `system:kubelet-api-admin` ClusterRole
+is updated with permissions to access all the above mentioned subresources.
+
