github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #39966 from liggitt/cert-users 

Automatic merge from submit-queue (batch tested with PRs 40168, 40165, 39158, 39966, 40190)

Include system:masters group in the bootstrap admin client certificate

Sets up the bootstrap admin client certificate for new clusters to be in the system:masters group

Removes the need for an explicit grant to the kubecfg user in e2e-bindings

```release-note
The default client certificate generated by kube-up now contains the superuser `system:masters` group
```
pull/6/head
Kubernetes Submit Queue 2017-01-20 08:28:51 -08:00 committed by GitHub
parent 0e1a166c4d 264dbf0daf
commit 1430597f7e
3 changed files with 11 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
cluster/addons/e2e-rbac-bindings/e2e-user-binding.yaml
View File

@ -1,19 +0,0 @@
# This is the main user for the e2e tests. This is ok to leave long term
# since the first user in the test can reasonably be high power
# its kubecfg in gce
# TODO consider provisioning each test its namespace and giving it an
# admin user. This still has to exist, but e2e wouldn't normally use it
apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRoleBinding
metadata:
name: e2e-user-cluster-admin
labels:
kubernetes.io/cluster-service: "true"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiVersion: rbac/v1alpha1
kind: User
name: kubecfg

7
cluster/common.sh
View File

@ -1008,7 +1008,12 @@ function generate-certs {
mv "kubelet.pem" "pki/issued/kubelet.crt" mv "kubelet.pem" "pki/issued/kubelet.crt"
rm -f "kubelet.csr" rm -f "kubelet.csr"
./easyrsa build-client-full kubecfg nopass # Make a superuser client cert with subject "O=system:masters, CN=kubecfg"
./easyrsa --dn-mode=org \
--req-cn=kubecfg --req-org=system:masters \
--req-c= --req-st= --req-city= --req-email= --req-ou= \
build-client-full kubecfg nopass
cd ../kubelet cd ../kubelet
./easyrsa init-pki ./easyrsa init-pki
./easyrsa --batch "--req-cn=kubelet@$(date +%s)" build-ca nopass ./easyrsa --batch "--req-cn=kubelet@$(date +%s)" build-ca nopass

6
cluster/saltbase/salt/generate-cert/make-ca-cert.sh
View File

@ -99,7 +99,11 @@ else
cp -p pki/issued/kubernetes-master.crt "${cert_dir}/server.cert" > /dev/null 2>&1 cp -p pki/issued/kubernetes-master.crt "${cert_dir}/server.cert" > /dev/null 2>&1
cp -p pki/private/kubernetes-master.key "${cert_dir}/server.key" > /dev/null 2>&1 cp -p pki/private/kubernetes-master.key "${cert_dir}/server.key" > /dev/null 2>&1
fi fi
./easyrsa build-client-full kubecfg nopass > /dev/null 2>&1 # Make a superuser client cert with subject "O=system:masters, CN=kubecfg"
./easyrsa --dn-mode=org \
--req-cn=kubecfg --req-org=system:masters \
--req-c= --req-st= --req-city= --req-email= --req-ou= \
build-client-full kubecfg nopass > /dev/null 2>&1
cp -p pki/ca.crt "${cert_dir}/ca.crt" cp -p pki/ca.crt "${cert_dir}/ca.crt"
cp -p pki/issued/kubecfg.crt "${cert_dir}/kubecfg.crt" cp -p pki/issued/kubecfg.crt "${cert_dir}/kubecfg.crt"
cp -p pki/private/kubecfg.key "${cert_dir}/kubecfg.key" cp -p pki/private/kubecfg.key "${cert_dir}/kubecfg.key"