Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

certificates.md: add note about system:masters in apiserver cert #43870

Merged
merged 1 commit into from Nov 13, 2023
Merged

certificates.md: add note about system:masters in apiserver cert #43870

merged 1 commit into from Nov 13, 2023

Conversation

neolit123
Copy link
Member

@neolit123 neolit123 commented Nov 10, 2023
edited

The kube-apiserver flag --kubelet-client-certificate
accepts a client certificate (kube-apiserver-kubelet-client.crt)
to connect to the kubelet. There is no need for this certificate
to have "system:masters" as "O" in the Subject, instead it
can be a less privileged group like kubeadm's "kubeadm:cluster-admins".

k/k bugfix PR:
kubernetes/kubernetes#121837

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Nov 10, 2023
@neolit123 neolit123 changed the base branch from main to dev-1.29 November 10, 2023 12:28
@k8s-ci-robot k8s-ci-robot added language/en Issues or PRs related to English language sig/docs Categorizes an issue or PR as relevant to SIG Docs. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Nov 10, 2023
@k8s-ci-robot k8s-ci-robot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Nov 10, 2023
@netlify Netlify
Copy link

netlify bot commented Nov 10, 2023

Pull request preview available for checking

Built without sensitive environment variables

Name Link
🔨 Latest commit 0ae8958
🔍 Latest deploy log https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/654e21f0d8edd400081cc63f
😎 Deploy Preview https://deploy-preview-43870--kubernetes-io-main-staging.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@neolit123 neolit123 force-pushed the 1.29-fix-system-masters-apiserver-kubelet-cert branch from 0ae8958 to b957213 Compare November 10, 2023 12:32
@netlify Netlify
Copy link

netlify bot commented Nov 10, 2023
edited

👷 Deploy Preview for kubernetes-io-vnext-staging processing.

Name Link
🔨 Latest commit ddb784a
🔍 Latest deploy log https://app.netlify.com/sites/kubernetes-io-vnext-staging/deploys/654e2d70094e2300085430da

@k8s-ci-robot k8s-ci-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Nov 10, 2023
@neolit123 neolit123 mentioned this pull request Nov 10, 2023
Closed
@neolit123
certificates.md: add note about system:masters in apiserver cert
ddb784a 
The kube-apiserver flag --kubelet-client-certificate
accepts a client certificate (kube-apiserver-kubelet-client.crt)
to connect to the kubelet. There is no need for this certificate
to have "system:masters" as "O" in the Subject, instead it
can be a less privileged group like kubeadm's "kubeadm:cluster-admins".
@neolit123 neolit123 force-pushed the 1.29-fix-system-masters-apiserver-kubelet-cert branch from b957213 to ddb784a Compare November 10, 2023 13:17
@neolit123 neolit123 changed the title certificates.md: remove system:masters from kube-apiserver-kubelet-client certificates.md: add note about system:masters in apiserver cert Nov 10, 2023
This was referenced Nov 10, 2023
Merged
Closed
@tengqm
Copy link
Contributor

tengqm commented Nov 10, 2023

Nice.
/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: tengqm

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 10, 2023
pacoxu
pacoxu reviewed Nov 13, 2023
View reviewed changes
content/en/docs/setup/best-practices/certificates.md
Instead of using the super-user group `system:masters` for `kube-apiserver-kubelet-client`
a less privileged group can be used. kubeadm uses the `kubeadm:cluster-admins` group for
that purpose.
{{< /note >}}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

A question: Should we mention the behavior changed version v1.29 like the feature gate note?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you mean the super-admin.conf feature in 1.29?
it was added without a feature gate.

Copy link
Member

@pacoxu pacoxu Nov 13, 2023
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you mean the super-admin.conf feature in 1.29?

I mean this note is since v1.29.

  • For other FGs, we may have a tag note there to show this is alpha/beta since v1.xx.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

well, this PR merges in the dev-1.29 branch and we don't have to do anything else, AFAIK.

the docs are versioned, so if users are on 1.28 they should be looking at 1.28 docs not at 1.29.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i don't know what are the rules about these tags / notes

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 13, 2023
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: d508030a1d7e97ea79402750c92ab4693386bbf6

@k8s-ci-robot k8s-ci-robot merged commit c55e6f2 into kubernetes:dev-1.29 Nov 13, 2023
6 checks passed
@k8s-ci-robot k8s-ci-robot added this to the 1.29 milestone Nov 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pacoxu pacoxu pacoxu left review comments

@bradtopol bradtopol Awaiting requested review from bradtopol

@huynguyennovem huynguyennovem Awaiting requested review from huynguyennovem

Assignees

@pacoxu pacoxu

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. language/en Issues or PRs related to English language lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/docs Categorizes an issue or PR as relevant to SIG Docs. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
1.29
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@neolit123 @tengqm @k8s-ci-robot @pacoxu