From 7e98e06e483a417744c78e15548280f3db762049 Mon Sep 17 00:00:00 2001
From: Jordan Liggitt <jliggitt@redhat.com>
Date: Mon, 16 Jan 2017 14:01:24 -0500
Subject: [PATCH 1/2] Include system:masters group in the bootstrap admin
 client certificate

---
 cluster/common.sh                                   | 7 ++++++-
 cluster/saltbase/salt/generate-cert/make-ca-cert.sh | 6 +++++-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/cluster/common.sh b/cluster/common.sh
index c6b89ea67d..2ebf7e5c83 100755
--- a/cluster/common.sh
+++ b/cluster/common.sh
@@ -995,7 +995,12 @@ function generate-certs {
     mv "kubelet.pem" "pki/issued/kubelet.crt"
     rm -f "kubelet.csr"
 
-    ./easyrsa build-client-full kubecfg nopass
+    # Make a superuser client cert with subject "O=system:masters, CN=kubecfg"
+    ./easyrsa --dn-mode=org \
+      --req-cn=kubecfg --req-org=system:masters \
+      --req-c= --req-st= --req-city= --req-email= --req-ou= \
+      build-client-full kubecfg nopass
+
     cd ../kubelet
     ./easyrsa init-pki
     ./easyrsa --batch "--req-cn=kubelet@$(date +%s)" build-ca nopass
diff --git a/cluster/saltbase/salt/generate-cert/make-ca-cert.sh b/cluster/saltbase/salt/generate-cert/make-ca-cert.sh
index ac227a2c08..f4e23a81f9 100755
--- a/cluster/saltbase/salt/generate-cert/make-ca-cert.sh
+++ b/cluster/saltbase/salt/generate-cert/make-ca-cert.sh
@@ -99,7 +99,11 @@ else
     cp -p pki/issued/kubernetes-master.crt "${cert_dir}/server.cert" > /dev/null 2>&1
     cp -p pki/private/kubernetes-master.key "${cert_dir}/server.key" > /dev/null 2>&1
 fi
-./easyrsa build-client-full kubecfg nopass > /dev/null 2>&1
+# Make a superuser client cert with subject "O=system:masters, CN=kubecfg"
+./easyrsa --dn-mode=org \
+  --req-cn=kubecfg --req-org=system:masters \
+  --req-c= --req-st= --req-city= --req-email= --req-ou= \
+  build-client-full kubecfg nopass > /dev/null 2>&1
 cp -p pki/ca.crt "${cert_dir}/ca.crt"
 cp -p pki/issued/kubecfg.crt "${cert_dir}/kubecfg.crt"
 cp -p pki/private/kubecfg.key "${cert_dir}/kubecfg.key"

From 264dbf0daf21c8cc9e0a739a994ee44b60154e8a Mon Sep 17 00:00:00 2001
From: Jordan Liggitt <jliggitt@redhat.com>
Date: Mon, 16 Jan 2017 14:12:15 -0500
Subject: [PATCH 2/2] Remove direct kubecfg RBAC grant

---
 .../e2e-rbac-bindings/e2e-user-binding.yaml   | 19 -------------------
 1 file changed, 19 deletions(-)
 delete mode 100644 cluster/addons/e2e-rbac-bindings/e2e-user-binding.yaml

diff --git a/cluster/addons/e2e-rbac-bindings/e2e-user-binding.yaml b/cluster/addons/e2e-rbac-bindings/e2e-user-binding.yaml
deleted file mode 100644
index e70d320a90..0000000000
--- a/cluster/addons/e2e-rbac-bindings/e2e-user-binding.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-# This is the main user for the e2e tests.  This is ok to leave long term
-# since the first user in the test can reasonably be high power
-# its kubecfg in gce
-# TODO consider provisioning each test its namespace and giving it an
-# admin user.  This still has to exist, but e2e wouldn't normally use it
-apiVersion: rbac.authorization.k8s.io/v1alpha1
-kind: ClusterRoleBinding
-metadata:
-  name: e2e-user-cluster-admin
-  labels:
-    kubernetes.io/cluster-service: "true"
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-- apiVersion: rbac/v1alpha1
-  kind: User
-  name: kubecfg