kubeadm: change SystemPrivilegedGroup in apiserve-kubelet-client.crt

The component connection between kube-apiserver and kubelet does not require the "O" field on the Subject to be set to the "system:masters" privileged group. It can be a less privileged group like "kubeadm:cluster-admins". Change the group in the apiserve-kubelet-client certificate specification. This cert is passed to --kubelet-client-certificate.
2025-08-04 09:49:50 +00:00 · 2023-11-10 14:16:40 +02:00 · 2023-11-10 14:16:40 +02:00 · 2780060a78
commit 2780060a78
parent 5ce0bd95cc
1 changed files with 1 additions and 1 deletions
--- a/cmd/kubeadm/app/phases/certs/certlist.go
+++ b/cmd/kubeadm/app/phases/certs/certlist.go
@ -291,7 +291,7 @@ func KubeadmCertKubeletClient() *KubeadmCert {
 		config: pkiutil.CertConfig{
 			Config: certutil.Config{
 				CommonName:   kubeadmconstants.APIServerKubeletClientCertCommonName,
-				Organization: []string{kubeadmconstants.SystemPrivilegedGroup},
+				Organization: []string{kubeadmconstants.ClusterAdminsGroupAndClusterRoleBinding},
 				Usages:       []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
 			},
 		},