You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf May 11, 2034 09:39 UTC 9y ca no
apiserver May 11, 2034 09:39 UTC 9y ca no
apiserver-etcd-client May 11, 2034 09:39 UTC 9y etcd-ca no
apiserver-kubelet-client May 11, 2034 09:39 UTC 9y ca no
controller-manager.conf May 11, 2034 09:39 UTC 9y ca no
etcd-healthcheck-client May 11, 2034 09:39 UTC 9y etcd-ca no
etcd-peer May 11, 2034 09:39 UTC 9y etcd-ca no
etcd-server May 11, 2034 09:39 UTC 9y etcd-ca no
front-proxy-client May 11, 2034 09:39 UTC 9y front-proxy-ca no
scheduler.conf May 11, 2034 09:39 UTC 9y ca no
super-admin.conf May 11, 2034 09:39 UTC 9y ca no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca May 11, 2034 07:34 UTC 9y no
etcd-ca May 11, 2034 07:34 UTC 9y no
front-proxy-ca May 11, 2034 07:34 UTC 9y no
yuyicai
changed the title
Add support for super_admin.conf, which was introduced after version 1.30.
Add support for super_admin.conf, which was introduced after version 1.29.
May 15, 2024
kubeadm: a separate "super-admin.conf" file is now deployed. The User in admin.conf is now bound to a new RBAC Group kubeadm:cluster-admins that has cluster-admin ClusterRole access. The User in super-admin.conf is now bound to the system:masters built-in super-powers / break-glass Group that can bypass RBAC. Before this change, the default admin.conf was bound to system:masters Group, which was undesired. Executing kubeadm init phase kubeconfig all or just kubeadm init will now generate the new super-admin.conf file. The cluster admin can then decide to keep the file present on a node host or move it to a safe location. kubadm certs renew will renew the certificate in super-admin.conf to one year if the file exists; if it does not exist a "MISSING" note will be printed. kubeadm upgrade apply for this release will migrate this particular node to the two file setup. Subsequent kubeadm releases will continue to optionally renew the certificate in super-admin.conf if the file exists on disk and if renew on upgrade is not disabled. kubeadm join --control-plane will now generate only an admin.conf file that has the less privileged User.
yuyicai
changed the title
Add support for super_admin.conf, which was introduced after version 1.29.
Add support for super_admin.conf, which was introduced after K8s v1.29.
May 15, 2024
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
yuyicai
changed the title
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf May 11, 2034 09:39 UTC 9y ca no
apiserver May 11, 2034 09:39 UTC 9y ca no
apiserver-etcd-client May 11, 2034 09:39 UTC 9y etcd-ca no
apiserver-kubelet-client May 11, 2034 09:39 UTC 9y ca no
controller-manager.conf May 11, 2034 09:39 UTC 9y ca no
etcd-healthcheck-client May 11, 2034 09:39 UTC 9y etcd-ca no
etcd-peer May 11, 2034 09:39 UTC 9y etcd-ca no
etcd-server May 11, 2034 09:39 UTC 9y etcd-ca no
front-proxy-client May 11, 2034 09:39 UTC 9y front-proxy-ca no
scheduler.conf May 11, 2034 09:39 UTC 9y ca no
super-admin.conf May 11, 2034 09:39 UTC 9y ca no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca May 11, 2034 07:34 UTC 9y no
etcd-ca May 11, 2034 07:34 UTC 9y no
front-proxy-ca May 11, 2034 07:34 UTC 9y no