Document changes to default RBAC discovery ClusterRole(Binding)s

Documentation for kubernetes/enhancements#789 and kubernetes/kubernetes#73807
dekkagaijin · Feb 28, 2019 · 974c382 · 974c382
1 parent 16b551c
commit 974c382
Showing 1 changed file with 9 additions and 2 deletions.
diff --git a/content/en/docs/reference/access-authn-authz/rbac.md b/content/en/docs/reference/access-authn-authz/rbac.md
@@ -462,6 +462,8 @@ kubectl get clusterroles system:discovery -o yaml
 
 NOTE: editing the role is not recommended as changes will be overwritten on API server restart via auto-reconciliation (see above).
 
+As of Kubernetes version 1.14+, the default RBAC discovery ClusterRoles are:
+
 <table>
 <colgroup><col width="25%"><col width="25%"><col></colgroup>
 <tr>
@@ -471,14 +473,19 @@ NOTE: editing the role is not recommended as changes will be overwritten on API
 </tr>
 <tr>
 <td><b>system:basic-user</b></td>
-<td><b>system:authenticated</b> and <b>system:unauthenticated</b> groups</td>
+<td><b>system:authenticated</b> group</td>
 <td>Allows a user read-only access to basic information about themselves.</td>
 </tr>
 <tr>
 <td><b>system:discovery</b></td>
-<td><b>system:authenticated</b> and <b>system:unauthenticated</b> groups</td>
+<td><b>system:authenticated</b> group</td>
 <td>Allows read-only access to API discovery endpoints needed to discover and negotiate an API level.</td>
 </tr>
+<tr>
+<td><b>system:public-info-viewer</b></td>
+<td><b>system:authenticated</b> and <b>system:unauthenticated</b> groups</td>
+<td>Allows read-only access to non-sensitive information about the cluster.</td>
+</tr>
 </table>
 
 ### User-facing Roles