certificates.md: add note about system:masters in apiserver cert

The kube-apiserver flag --kubelet-client-certificate accepts a client certificate (kube-apiserver-kubelet-client.crt) to connect to the kubelet. There is no need for this certificate to have "system:masters" as "O" in the Subject, instead it can be a less privileged group like kubeadm's "kubeadm:cluster-admins".
2023-11-10 14:27:38 +02:00 · 2023-11-10 14:27:38 +02:00 · ddb784aab1
parent fff0693f7b
commit ddb784aab1
1 changed files with 6 additions and 0 deletions
--- a/content/en/docs/setup/best-practices/certificates.md
+++ b/content/en/docs/setup/best-practices/certificates.md
@ -95,6 +95,12 @@ Required certificates:
 | kube-apiserver-kubelet-client | kubernetes-ca             | system:masters | client           |                                                     |
 | front-proxy-client            | kubernetes-front-proxy-ca |                | client           |                                                     |

+{{< note >}}
+Instead of using the super-user group `system:masters` for `kube-apiserver-kubelet-client`
+a less privileged group can be used. kubeadm uses the `kubeadm:cluster-admins` group for
+that purpose.
+{{< /note >}}
+
 [1]: any other IP or DNS name you contact your cluster on (as used by [kubeadm](/docs/reference/setup-tools/kubeadm/)
 the load balancer stable IP and/or DNS name, `kubernetes`, `kubernetes.default`, `kubernetes.default.svc`,
 `kubernetes.default.svc.cluster`, `kubernetes.default.svc.cluster.local`)