kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

certificates.md: add note about system:masters in apiserver cert 

The kube-apiserver flag --kubelet-client-certificate
accepts a client certificate (kube-apiserver-kubelet-client.crt)
to connect to the kubelet. There is no need for this certificate
to have "system:masters" as "O" in the Subject, instead it
can be a less privileged group like kubeadm's "kubeadm:cluster-admins".
pull/43870/head
Lubomir I. Ivanov 2023-11-10 14:27:38 +02:00
parent fff0693f7b
commit ddb784aab1
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
content/en/docs/setup/best-practices/certificates.md
View File

@ -95,6 +95,12 @@ Required certificates:
| kube-apiserver-kubelet-client | kubernetes-ca | system:masters | client | |
| front-proxy-client | kubernetes-front-proxy-ca | | client | |
{{< note >}}
Instead of using the super-user group `system:masters` for `kube-apiserver-kubelet-client`
a less privileged group can be used. kubeadm uses the `kubeadm:cluster-admins` group for
that purpose.
{{< /note >}}
[1]: any other IP or DNS name you contact your cluster on (as used by [kubeadm](/docs/reference/setup-tools/kubeadm/)
the load balancer stable IP and/or DNS name, `kubernetes`, `kubernetes.default`, `kubernetes.default.svc`,
`kubernetes.default.svc.cluster`, `kubernetes.default.svc.cluster.local`)