If you decide to run with the RBAC authorizer, tools like kubeadm run the control plane components with credentials that have the required permissions out of the box. If you're using your own deployment/setup, you'll want to consult https://kubernetes.io/docs/admin/authorization/rbac/#core-co... to either give standard user/group names to your components, or grant the appropriate roles to custom user/group names.
Once your control plane is running, granting API access to other apps that need it is typically a matter of creating a service account, setting that service account in the pod spec, and granting the service account a role with sufficient access. See https://kubernetes.io/docs/admin/authorization/rbac/#service...