| # The GKE environments don't have kubelets with certificates that |
| # identify the system:nodes group. They use the kubelet identity |
| # TODO: remove this once new nodes are granted individual identities and the |
| # NodeAuthorizer is enabled. |
| apiVersion: rbac.authorization.k8s.io/v1 |
| kind: ClusterRoleBinding |
| metadata: |
| name: kubelet-cluster-admin |
| labels: |
| kubernetes.io/cluster-service: "true" |
| addonmanager.kubernetes.io/mode: Reconcile |
| roleRef: |
| apiGroup: rbac.authorization.k8s.io |
| kind: ClusterRole |
| name: system:node |
| subjects: |
| - apiGroup: rbac.authorization.k8s.io |
| kind: User |
| name: kubelet |