certificates.md: remove system:masters from kube-apiserver-kubelet-cl…

…ient The kube-apiserver flag --kubelet-client-certificate accepts a client certificate (kube-apiserver-kubelet-client.crt) to connect to the kubelet. There is no need for this certificate to have "system:masters" as "O" in the Subject.
kubernetes · Nov 10, 2023 · b957213 · b957213
1 parent fff0693
commit b957213
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/content/en/docs/setup/best-practices/certificates.md b/content/en/docs/setup/best-practices/certificates.md
@@ -92,7 +92,7 @@ Required certificates:
 | kube-etcd-healthcheck-client  | etcd-ca                   |                | client           |                                                     |
 | kube-apiserver-etcd-client    | etcd-ca                   |                | client           |                                                     |
 | kube-apiserver                | kubernetes-ca             |                | server           | `<hostname>`, `<Host_IP>`, `<advertise_IP>`, `[1]`  |
-| kube-apiserver-kubelet-client | kubernetes-ca             | system:masters | client           |                                                     |
+| kube-apiserver-kubelet-client | kubernetes-ca             |                | client           |                                                     |
 | front-proxy-client            | kubernetes-front-proxy-ca |                | client           |                                                     |
 
 [1]: any other IP or DNS name you contact your cluster on (as used by [kubeadm](/docs/reference/setup-tools/kubeadm/)