From 21eed3ecca2a0e774537bbf64ba01c70f72b02a9 Mon Sep 17 00:00:00 2001
From: "Dr. Stefan Schimanski" <stefan.schimanski@gmail.com>
Date: Tue, 9 Oct 2018 16:18:26 +0200
Subject: [PATCH] bootkube(INSECURE): add system:masters to kubelet client cert

---
 pkg/asset/tls/kubeletcertkey.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkg/asset/tls/kubeletcertkey.go b/pkg/asset/tls/kubeletcertkey.go
index b6d41889c96..b8632e2025e 100644
--- a/pkg/asset/tls/kubeletcertkey.go
+++ b/pkg/asset/tls/kubeletcertkey.go
@@ -29,7 +29,9 @@ func (a *KubeletCertKey) Generate(dependencies asset.Parents) error {
 	dependencies.Get(kubeCA)
 
 	cfg := &CertCfg{
-		Subject:      pkix.Name{CommonName: "system:serviceaccount:kube-system:default", Organization: []string{"system:serviceaccounts:kube-system"}},
+		// system:masters is a hack to get the kubelet up without kube-core
+		// TODO(node): make kubelet bootstrapping secure with minimal permissions eventually switching to system:node:* CommonName
+		Subject:      pkix.Name{CommonName: "system:serviceaccount:kube-system:default", Organization: []string{"system:serviceaccounts:kube-system", "system:masters"}},
 		KeyUsages:    x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
 		ExtKeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
 		Validity:     ValidityThirtyMinutes,