What have people been experiencing with K8s 1.7? For me it's been nothing but RBAC issues everywhere (Granted, I'm upgrading from 1.5 so it's kinda my own damn fault).
We took the RBAC "hit" in 1.6. This mostly involved grokking the Role/RoleBinding and ClusterRole/ClusterRoleBinding details first. After that it was primarily a matter of updating a slew of Helm charts. Ones that we maintain for ourselves, and several community charts that had yet to be updated.
I think I understand cluster roles and bindings, my biggest thing is that I was using a bunch of off-the-shelf helm charts (for spinnaker, k8s dashboard, and deis workflow especially) and all three stopped working with RBAC. Those have been an...adventure to fix.
If you decide to run with the RBAC authorizer, tools like kubeadm run the control plane components with credentials that have the required permissions out of the box. If you're using your own deployment/setup, you'll want to consult https://kubernetes.io/docs/admin/authorization/rbac/#core-co... to either give standard user/group names to your components, or grant the appropriate roles to custom user/group names.
Once your control plane is running, granting API access to other apps that need it is typically a matter of creating a service account, setting that service account in the pod spec, and granting the service account a role with sufficient access. See https://kubernetes.io/docs/admin/authorization/rbac/#service...
