Hi team,
I have a general question about the authentication of the special group system:masters.
When RBAC is enabled, there is a ClusterRoleBinding, cluster-admin, auto-created by the cluster that binds system:masters to the ClusterRole cluster-admin. Together with a few source code comments [1] and docs (e.g. the last paragraph of [2]), they give the impression that the existence of the ClusterRoleBinding is how elevated permission is given to this group.
But I later found in docs (e.g. the last bullet-point under Least privilege) that system:masters is baked into apiserver and always has unrestricted admin access, bypassing all other authentication checks. So even if the ClusterRoleBindings gets removed or RBAC module itself broke down, users in this groups can continue accessing the cluster.
I was wondering, why the ClusterRoleBinding for system:masters exists anyway? It doesn’t seem to be useful, and it generates a lot of confusion around how auth of system:masters is actually handled.
Thanks!