Switch apiserver certificate to system:masters org

* A kubernetes apiserver should be authorized to make requests to kubelets using an admin role associated with system:masters * Kubelet defaults to AlwaysAllow so an apiserver that presented a valid certificate had all access to the Kubelet. With Webhook authorization, we're making that admin access explicit * Its important the apiserver be able to perform or proxy to kubelets for kubectl log, exec, port-forward, etc. * poseidon/typhoon#215
poseidon · May 14, 2018 · 28f68db · 28f68db
1 parent 305c813
commit 28f68db
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/tls-k8s.tf b/tls-k8s.tf
@@ -62,7 +62,7 @@ resource "tls_cert_request" "apiserver" {
 
   subject {
     common_name  = "kube-apiserver"
-    organization = "kube-master"
+    organization = "system:masters"
   }
 
   dns_names = [