New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
certificates.md: add note about system:masters in apiserver cert #43870
certificates.md: add note about system:masters in apiserver cert #43870
Conversation
✅ Pull request preview available for checkingBuilt without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site configuration. |
0ae8958
to
b957213
Compare
👷 Deploy Preview for kubernetes-io-vnext-staging processing.
|
The kube-apiserver flag --kubelet-client-certificate accepts a client certificate (kube-apiserver-kubelet-client.crt) to connect to the kubelet. There is no need for this certificate to have "system:masters" as "O" in the Subject, instead it can be a less privileged group like kubeadm's "kubeadm:cluster-admins".
b957213
to
ddb784a
Compare
Nice. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: tengqm The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Instead of using the super-user group `system:masters` for `kube-apiserver-kubelet-client` | ||
a less privileged group can be used. kubeadm uses the `kubeadm:cluster-admins` group for | ||
that purpose. | ||
{{< /note >}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
A question: Should we mention the behavior changed version v1.29 like the feature gate note?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you mean the super-admin.conf feature in 1.29?
it was added without a feature gate.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you mean the super-admin.conf feature in 1.29?
I mean this note is since v1.29.
- For other FGs, we may have a tag note there to show this is alpha/beta since v1.xx.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
well, this PR merges in the dev-1.29 branch and we don't have to do anything else, AFAIK.
the docs are versioned, so if users are on 1.28 they should be looking at 1.28 docs not at 1.29.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i don't know what are the rules about these tags / notes
LGTM label has been added. Git tree hash: d508030a1d7e97ea79402750c92ab4693386bbf6
|
The kube-apiserver flag --kubelet-client-certificate
accepts a client certificate (kube-apiserver-kubelet-client.crt)
to connect to the kubelet. There is no need for this certificate
to have "system:masters" as "O" in the Subject, instead it
can be a less privileged group like kubeadm's "kubeadm:cluster-admins".
k/k bugfix PR:
kubernetes/kubernetes#121837