Skip to content

Commit

Permalink
certificates.md: add note about system:masters in apiserver cert
Browse files Browse the repository at this point in the history 
The kube-apiserver flag --kubelet-client-certificate
accepts a client certificate (kube-apiserver-kubelet-client.crt)
to connect to the kubelet. There is no need for this certificate
to have "system:masters" as "O" in the Subject, instead it
can be a less privileged group like kubeadm's "kubeadm:cluster-admins".
  • Loading branch information
@neolit123
neolit123 committed Nov 10, 2023
1 parent fff0693 commit ddb784a
Showing 1 changed file with 6 additions and 0 deletions.
6 changes: 6 additions & 0 deletions content/en/docs/setup/best-practices/certificates.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,12 @@ Required certificates:
| kube-apiserver-kubelet-client | kubernetes-ca | system:masters | client | |
| front-proxy-client | kubernetes-front-proxy-ca | | client | |

{{< note >}}
Instead of using the super-user group `system:masters` for `kube-apiserver-kubelet-client`
a less privileged group can be used. kubeadm uses the `kubeadm:cluster-admins` group for
that purpose.
{{< /note >}}

[1]: any other IP or DNS name you contact your cluster on (as used by [kubeadm](/docs/reference/setup-tools/kubeadm/)
the load balancer stable IP and/or DNS name, `kubernetes`, `kubernetes.default`, `kubernetes.default.svc`,
`kubernetes.default.svc.cluster`, `kubernetes.default.svc.cluster.local`)
Expand Down

0 comments on commit ddb784a

Please sign in to comment.