Update docs with new clusterroles for CSR autoapproving

kubernetes · Sep 27, 2017 · 013038a · 013038a
1 parent bc805bd
commit 013038a
Showing 1 changed file with 19 additions and 7 deletions.
diff --git a/docs/admin/kubelet-tls-bootstrapping.md b/docs/admin/kubelet-tls-bootstrapping.md
@@ -92,38 +92,50 @@ tracked at [kubernetes/features#267](https://github.com/kubernetes/features/issu
 --feature-gates=RotateKubeletServerCertificate=true
 ```
 
-The following RBAC `ClusterRoles` represent the `nodeclient`, `selfnodeclient`, and `selfnodeserver` capabilities. Similar roles
-may be automatically created in future releases.
+The following RBAC `ClusterRoles` represent the `nodeclient`, `selfnodeclient`, and `selfnodeserver` capabilities.
+Some of these roles are automatically created since the v1.8.0 release, these ClusterRoles are showed below for
+reference.
+
 
 ```yml
 # A ClusterRole which instructs the CSR approver to approve a user requesting
 # node client credentials.
+# This ClusterRole is automatically created since v1.8.0
+# Prior to v1.8.0, you have to create a resource like this yourself.
+# (Preferably with a name that is not "system:"-prefixed)
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: approve-node-client-csr
+  name: system:certificates.k8s.io:certificatesigningrequests:nodeclient
 rules:
 - apiGroups: ["certificates.k8s.io"]
   resources: ["certificatesigningrequests/nodeclient"]
   verbs: ["create"]
 ---
 # A ClusterRole which instructs the CSR approver to approve a node renewing its
 # own client credentials.
+# This ClusterRole is automatically created since v1.8.0
+# Prior to v1.8.0, you have to create a resource like this yourself.
+# (Preferably with a name that is not "system:"-prefixed)
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: approve-node-client-renewal-csr
+  name: system:certificates.k8s.io:certificatesigningrequests:selfnodeclient
 rules:
 - apiGroups: ["certificates.k8s.io"]
   resources: ["certificatesigningrequests/selfnodeclient"]
   verbs: ["create"]
 ---
 # A ClusterRole which instructs the CSR approver to approve a node requesting a
 # serving cert matching its client cert.
+# This ClusterRole is automatically created since v1.8.0, if the
+# RotateKubeletServerCertificate feature gate is enabled
+# Prior to v1.8.0, you have to create a resource like this yourself.
+# (Preferably with a name that is not "system:"-prefixed)
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: approve-node-server-renewal-csr
+  name: system:certificates.k8s.io:certificatesigningrequests:selfnodeserver
 rules:
 - apiGroups: ["certificates.k8s.io"]
   resources: ["certificatesigningrequests/selfnodeserver"]
@@ -152,7 +164,7 @@ subjects:
   apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: ClusterRole
-  name: approve-node-client-csr
+  name: system:certificates.k8s.io:certificatesigningrequests:nodeclient
   apiGroup: rbac.authorization.k8s.io
 ```
 
@@ -170,7 +182,7 @@ subjects:
   apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: ClusterRole
-  name: approve-node-client-renewal-csr
+  name: system:certificates.k8s.io:certificatesigningrequests:selfnodeclient
   apiGroup: rbac.authorization.k8s.io
 ```