From cdff2b4b6be23e85a2f4777e612056e4200fcce0 Mon Sep 17 00:00:00 2001
From: Marcelo Giles <marcelogiles@gmail.com>
Date: Wed, 30 Oct 2024 18:09:24 -0700
Subject: [PATCH] Add systems:master paragraph

---
 .../docs/reference/access-authn-authz/authorization.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/content/en/docs/reference/access-authn-authz/authorization.md b/content/en/docs/reference/access-authn-authz/authorization.md
index 8d7513583e..d68c39765c 100644
--- a/content/en/docs/reference/access-authn-authz/authorization.md
+++ b/content/en/docs/reference/access-authn-authz/authorization.md
@@ -152,6 +152,16 @@ You should not use the `AlwaysAllow` mode on a Kubernetes cluster where the API
 is reachable from the public internet.
 {{< /warning >}}
 
+### The system:masters group
+
+The `system:masters` group is a built-in Kubernetes group that grants unrestricted
+access to the API server. Any user assigned to this group has full cluster administrator
+privileges, bypassing any authorization restrictions imposed by the RBAC or Webhook mechanisms.
+[Avoid adding users](/docs/concepts/security/rbac-good-practices/#least-privilege)
+to this group. If you do need to grant a user cluster-admin rights, you can create a
+[ClusterRoleBinding](/docs/reference/access-authn-authz/rbac/#user-facing-roles)
+to the built-in `cluster-admin` ClusterRole.
+
 ### Authorization mode configuration {#choice-of-authz-config}
 
 You can configure the Kubernetes API server's authorizer chain using either