Skip to content

Commit

Permalink
Add a small note about auto-bootstrapped CSR ClusterRoles (#5660)
Browse files Browse the repository at this point in the history
  • Loading branch information
@luxas @steveperry-53
luxas authored and steveperry-53 committed Sep 28, 2017
1 parent 1b06ec8 commit 53bd058
Showing 1 changed file with 8 additions and 0 deletions.
8 changes: 8 additions & 0 deletions docs/admin/kubelet-tls-bootstrapping.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,14 @@ rules:
verbs: ["create"]
```
As of 1.8, equivalent roles to the ones listed above are automatically created as part of the default RBAC roles.
For 1.8 clusters admins are recommended to bind tokens to the following roles instead of creating their own:
* `system:certificates.k8s.io:certificatesigningrequests:io:certificatesigningrequests:nodeclient`
- Automatically approve CSRs for client certs bound to this role.
* `system:certificates.k8s.io:certificatesigningrequests:io:certificatesigningrequests:selfnodeclient`
- Automatically approve CSRs when a client bound to its role renews its own certificate.

These powers can be granted to credentials, such as bootstrapping tokens. For example, to replicate the behavior
provided by the removed auto-approval flag, of approving all CSRs by a single group:

Expand Down

0 comments on commit 53bd058

Please sign in to comment.