kubeadm: change SystemPrivilegedGroup in apiserve-kubelet-client.crt

The component connection between kube-apiserver and kubelet does not require the "O" field on the Subject to be set to the "system:masters" privileged group. It can be a less privileged group like "kubeadm:cluster-admins". Change the group in the apiserve-kubelet-client certificate specification. This cert is passed to --kubelet-client-certificate.
kubernetes · Nov 10, 2023 · 2780060 · 2780060
1 parent 5ce0bd9
commit 2780060
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/cmd/kubeadm/app/phases/certs/certlist.go b/cmd/kubeadm/app/phases/certs/certlist.go
@@ -291,7 +291,7 @@ func KubeadmCertKubeletClient() *KubeadmCert {
 		config: pkiutil.CertConfig{
 			Config: certutil.Config{
 				CommonName:   kubeadmconstants.APIServerKubeletClientCertCommonName,
-				Organization: []string{kubeadmconstants.SystemPrivilegedGroup},
+				Organization: []string{kubeadmconstants.ClusterAdminsGroupAndClusterRoleBinding},
 				Usages:       []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
 			},
 		},