Deleting the roles is the easy part. The hard part is coordinating with the whole provisioning ecosystem to avoid unexpected breakage. How do we know when this is safe to merge?

@tallclair I'm not familiar with where what component this gets run in, is it part of the APIServer?

@micahhausler yeah, it's part of the RBAC plugin, so whichever apiserver that's loaded in. Typically it's the kube-aggregator server, with extension servers using delegation, but I think it's also possible to run RBAC in each extension apiserver.

Does this line need to be removed too? https://github.com/kubernetes/kubernetes/pull/66635/files#diff-eee450e334a11e0b683ce965f584c3c4R531

/retest

/test pull-kubernetes-bazel-test

@wgliang I think the expected output needs to be updated.

@wgliang will you have time to finish this one?

Yeah, I'll will update it.

@wgliang thanks. If it helps, I created this: master...duglin:pr66635 if case you didn't have time. There's another "aws" line I think might need to be removed too.

@duglin
Thanks for your review. I have updated it.

/lgtm

with the thaw... any chance of moving this one along now?

This LGTM, but I'd like to get approval from someone from @kubernetes/sig-aws-misc
Maybe @justinsb ?

ping @justinsb @kubernetes/sig-aws-misc

/cc @lavalamp - FYI

How did this get in there in the first place? We really shouldn't have any cloud provider specific code like this that's not hidden behind an interface in a cloud provider package.

@lavalamp it got in here via #56709 and at that time there used to be a generic system:cloud-provider service account which had similar access to modify resources. There is a long history of comments how it got there(if you read the PR). but GCE cloudprovider has similar access. I originally proposed AWS cloud-provider to use same system:cloud-provider service account that GCE uses.

BTW - is there any reason we can't deprecate this RBAC policy first and remove it in next release? That at least will give time for installation tools to catch up and will be consistent with how other cloudprovider policies are being removed. cc @justinsb

agree with announcing removal prior to removing

@wgliang can you make sure a deprecation notice makes it into the 1.13 release notes, and is announced to the relevant sigs (looks like aws, in this case), along with the required action for deployers? do we want to copy this role out to a yaml manifest that deployers can use as they transition to granting this permission externally?

@liggitt No problem. I will follow up with 1.13 release note and communicate with the relevant personnel.

added to 1.13 release notes as deprecated

/hold
for 1.15

/hold cancel

master is open for 1.15 dev now, can you rebase this?

@liggitt Done.

/retest
/lgtm
/approve

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: justinsb, liggitt, wgliang

The full list of commands accepted by this bot can be found here.

The pull request process is described here