File tree 1 file changed +20
-0
lines changed
content/zh-cn/docs/reference/access-authn-authz
1 file changed +20
-0
lines changed Original file line number Diff line number Diff line change @@ -297,6 +297,26 @@ is reachable from the public internet.
297297你不应在可从公共互联网访问 API 服务器的 Kubernetes 集群上使用 ` AlwaysAllow ` 模式。
298298{{< /warning >}}
299299
300+ <!--
301+ ### The system:masters group
302+
303+ The `system:masters` group is a built-in Kubernetes group that grants unrestricted
304+ access to the API server. Any user assigned to this group has full cluster administrator
305+ privileges, bypassing any authorization restrictions imposed by the RBAC or Webhook mechanisms.
306+ [Avoid adding users](/docs/concepts/security/rbac-good-practices/#least-privilege)
307+ to this group. If you do need to grant a user cluster-admin rights, you can create a
308+ [ClusterRoleBinding](/docs/reference/access-authn-authz/rbac/#user-facing-roles)
309+ to the built-in `cluster-admin` ClusterRole.
310+ -->
311+ ### ` system:masters ` 组
312+
313+ ` system:masters ` 组是 Kubernetes 内置的一个组,授予其成员对 API 服务器的无限制访问权限。
314+ 任何被分配到此组的用户都具有完全的集群管理员权限,可以绕过由 RBAC 或 Webhook 机制施加的任何鉴权限制。
315+ 请[ 避免将用户添加到此组] ( /zh-cn/docs/concepts/security/rbac-good-practices/#least-privilege ) 。
316+ 如果你确实需要授予某个用户集群管理员权限,可以通过创建一个
317+ [ ClusterRoleBinding] ( /zh-cn/docs/reference/access-authn-authz/rbac/#user-facing-roles )
318+ 将其绑定到内置的 ` cluster-admin ` ClusterRole。
319+
300320<!--
301321### Authorization mode configuration {#choice-of-authz-config}
302322
You can’t perform that action at this time.
0 commit comments