From 80ddac7157b46c1edd0c29b482cff18b763f4806 Mon Sep 17 00:00:00 2001 From: Andy Goldstein Date: Wed, 8 Feb 2017 10:16:46 -0500 Subject: [PATCH] Fix controller manager RBAC in local-up-cluster Change the name of the client cert used by the controller manager from system:controller to system:kube-controller-manager, so the appropriate RBAC rules are applied. Also remove the system:masters group from this client cert so it doesn't have super powers. Also, always enable using service account credentials in the controller manager. --- hack/local-up-cluster.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hack/local-up-cluster.sh b/hack/local-up-cluster.sh index 10ce20382e..0f980a422e 100755 --- a/hack/local-up-cluster.sh +++ b/hack/local-up-cluster.sh @@ -399,7 +399,7 @@ function start_apiserver { # NOTE: system:masters will be removed in the future kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' kubelet system:node:${HOSTNAME_OVERRIDE} system:nodes kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' kube-proxy system:kube-proxy system:nodes - kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' controller system:controller system:masters + kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' controller system:kube-controller-manager kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' scheduler system:scheduler system:masters kube::util::create_client_certkey "${CONTROLPLANE_SUDO}" "${CERT_DIR}" 'client-ca' admin system:admin system:masters @@ -483,6 +483,7 @@ function start_controller_manager { --cloud-provider="${CLOUD_PROVIDER}" \ --cloud-config="${CLOUD_CONFIG}" \ --kubeconfig "$CERT_DIR"/controller.kubeconfig \ + --use-service-account-credentials \ --master="https://${API_HOST}:${API_SECURE_PORT}" >"${CTLRMGR_LOG}" 2>&1 & CTLRMGR_PID=$! }