c0a3d26746
Automatic merge from submit-queue Remove e2e-rbac-bindings. Replace todo-grabbag binding w/ more specific heapster roles/bindings. Move kubelet binding. **What this PR does / why we need it**: The "e2e-rbac-bindings" held 2 leftovers from the 1.6 RBAC rollout process: - One is the "kubelet-binding" which grants the "system:node" role to kubelet. This is needed until we enable the node authorizer. I moved this to the folder w/ some other kubelet related bindings. - The other is the "todo-remove-grabbag-cluster-admin" binding, which grants the cluster-admin role to the default service account in the kube-system namespace. This appears to only be required for heapster. Heapster will instead use a "heapster" service account, bound to a "system:heapster" role on the cluster (no write perms), and a "system:pod-nanny" role in the kube-system namespace. **Which issue this PR fixes**: Addresses part of #39990 **Release Note**: ```release-note New and upgraded 1.7 GCE/GKE clusters no longer have an RBAC ClusterRoleBinding that grants the `cluster-admin` ClusterRole to the `default` service account in the `kube-system` namespace. If this permission is still desired, run the following command to explicitly grant it, either before or after upgrading to 1.7: kubectl create clusterrolebinding kube-system-default --serviceaccount=kube-system:default --clusterrole=cluster-admin ``` |
||
|---|---|---|
| .. | ||
| mounter | ||
| nvidia-gpus | ||
| configure-helper.sh | ||
| configure.sh | ||
| health-monitor.sh | ||
| helper.sh | ||
| master-helper.sh | ||
| master.yaml | ||
| node-helper.sh | ||
| node.yaml | ||
| README.md | ||
Container-VM Image
Container-VM Image is a container-optimized OS image for the Google Cloud Platform (GCP). It is primarily for running Google services on GCP. Unlike the open preview version of container-vm, the new Container-VM Image is based on the open source ChromiumOS project, allowing us greater control over the build management, security compliance, and customizations for GCP.