From aef5e64894ec3bd91c272adc3617f51087c9ab21 Mon Sep 17 00:00:00 2001 From: Nathan Jones Date: Mon, 28 Oct 2019 18:03:00 -0400 Subject: [PATCH] granting cluster-admin to normal users Added note to clarify results of granting cluster-admin to normal users. This question was raised by a customer in support case# 100567 --- ee/ucp/authorization/index.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/ee/ucp/authorization/index.md b/ee/ucp/authorization/index.md index 5bef618736..b82c4e96ae 100644 --- a/ee/ucp/authorization/index.md +++ b/ee/ucp/authorization/index.md @@ -103,7 +103,12 @@ For cluster security, only UCP admin users and service accounts that are granted the `cluster-admin` ClusterRole for all Kubernetes namespaces via a ClusterRoleBinding can deploy pods with privileged options. This prevents a platform user from being able to bypass the Universal Control Plane Security -Model. These privileged options include: +Model. + +> Note: Granting the `cluster admin` ClusterRole to normal users does not allow +> them to deploy privilaged pods. + +These privileged options include: Pods with any of the following defined in the Pod Specification: