Include system:masters group in the bootstrap admin client certificate

2025-09-08 20:50:24 +00:00 · 2017-01-16 14:01:24 -05:00
parent 9118a1252f
commit 7e98e06e48
2 changed files with 11 additions and 2 deletions
--- a/cluster/common.sh
+++ b/cluster/common.sh
@@ -995,7 +995,12 @@ function generate-certs {
    mv "kubelet.pem" "pki/issued/kubelet.crt"
    rm -f "kubelet.csr"

-    ./easyrsa build-client-full kubecfg nopass
+    # Make a superuser client cert with subject "O=system:masters, CN=kubecfg"
+    ./easyrsa --dn-mode=org \
+      --req-cn=kubecfg --req-org=system:masters \
+      --req-c= --req-st= --req-city= --req-email= --req-ou= \
+      build-client-full kubecfg nopass
+
    cd ../kubelet
    ./easyrsa init-pki
    ./easyrsa --batch "--req-cn=kubelet@$(date +%s)" build-ca nopass