Merge pull request #39966 from liggitt/cert-users

Automatic merge from submit-queue (batch tested with PRs 40168, 40165, 39158, 39966, 40190) Include system:masters group in the bootstrap admin client certificate Sets up the bootstrap admin client certificate for new clusters to be in the system:masters group Removes the need for an explicit grant to the kubecfg user in e2e-bindings ```release-note The default client certificate generated by kube-up now contains the superuser `system:masters` group ```
2025-09-09 05:01:46 +00:00 · 2017-01-20 08:28:51 -08:00
parent 0e1a166c4d 264dbf0daf
commit 1430597f7e
3 changed files with 11 additions and 21 deletions
--- a/cluster/common.sh
+++ b/cluster/common.sh
@@ -1008,7 +1008,12 @@ function generate-certs {
    mv "kubelet.pem" "pki/issued/kubelet.crt"
    rm -f "kubelet.csr"

-    ./easyrsa build-client-full kubecfg nopass
+    # Make a superuser client cert with subject "O=system:masters, CN=kubecfg"
+    ./easyrsa --dn-mode=org \
+      --req-cn=kubecfg --req-org=system:masters \
+      --req-c= --req-st= --req-city= --req-email= --req-ou= \
+      build-client-full kubecfg nopass
+
    cd ../kubelet
    ./easyrsa init-pki
    ./easyrsa --batch "--req-cn=kubelet@$(date +%s)" build-ca nopass