Always enable RBAC so the cluster-info ConfigMap can be exposed

[luxas]

The cluster-info ConfigMap should be exposed to everyone, including system:unauthenticated, see: kubernetes/community#189

We actually face some challenges in doing so.
The proposed solution is to always enable RBAC, and to turn on RBAC by default and have it configurable.
So in case the user gives ABAC as the authz mode, the actual param will be --authorization-mode=RBAC,ABAC and that will work as supposed in most cases given that the multiple authz modules' responses are unioned (if one module grants, the request is granted)

If RBAC is specified as the authz mode to use, kubeadm will set up ClusterRoleBindings for kube-dns, kube-proxy and maybe other things as well.

But the proposal is to always make the RBAC module grant

• token users to do TLS bootstrapping
• anyone access the cluster-info ConfigMap in the kube-public namespace.

This issue is based on a conversation on Slack between me, @liggitt and @jbeda

cc @mikedanese @erictune @roberthbailey @deads2k @pires @dmmcquay @errordeveloper @dgoodwin

[erictune]

@cjcullen

I don't know that this would be wise on GKE.

[luxas]

@erictune Interesting. What differs?
Also see: https://github.com/kubernetes/community/blob/master/contributors/design-proposals/bootstrap-discovery.md

The general thing with kubeadm is making it possible to set up secure clusters without having to copy files, so this is a tradeoff for that. Anyway, I see that this might not be optimal for everyone (you're basically giving your CA cert away for free), so this should be swappable as everything else in kubeadm as well

[luxas]

Fixed with kubernetes/kubernetes#41810