bootkube(INSECURE): add system:masters to kubelet client cert

openshift · Oct 10, 2018 · c43391c · c43391c
1 parent 24fe196
commit c43391c
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/pkg/asset/tls/kubeletcertkey.go b/pkg/asset/tls/kubeletcertkey.go
@@ -29,7 +29,9 @@ func (a *KubeletCertKey) Generate(dependencies asset.Parents) error {
  dependencies.Get(kubeCA)
 
  cfg := &CertCfg{
- Subject: pkix.Name{CommonName: "system:serviceaccount:kube-system:default", Organization: []string{"system:serviceaccounts:kube-system"}},
+ // system:masters is a hack to get the kubelet up without kube-core
+ // TODO(node): make kubelet bootstrapping secure with minimal permissions eventually switching to system:node:* CommonName
+ Subject: pkix.Name{CommonName: "system:serviceaccount:kube-system:default", Organization: []string{"system:serviceaccounts:kube-system", "system:masters"}},
  KeyUsages: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
  ExtKeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
  Validity: ValidityThirtyMinutes,