GKE on VMware deploys Pods to your nodes that have elevated RBAC permissions such as the ability to modify all Deployments and to read all cluster Secrets. These permissions are required for GKE on VMware to function correctly.
These are the components that have elevated RBAC permissions:
- gke-connect-agent
- ais
- coredns-autoscaler
- kube-proxy
- calico-node
- anet-operator
- metallb-speaker
- metallb-controller
- cluster-health-controller
- gmsa-webhook
- onprem-user-cluster-controller
- gke-usage-metering
- metrics-server