From 1db3c957b1d0f0b26ff354fcaf2547126d04b8ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lucas=20K=C3=A4ldstr=C3=B6m?= Date: Thu, 28 Sep 2017 22:49:26 +0300 Subject: [PATCH] Add a small note about auto-bootstrapped CSR ClusterRoles --- docs/admin/kubelet-tls-bootstrapping.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/admin/kubelet-tls-bootstrapping.md b/docs/admin/kubelet-tls-bootstrapping.md index 84ba4af6d5851..0d553828ecbbd 100644 --- a/docs/admin/kubelet-tls-bootstrapping.md +++ b/docs/admin/kubelet-tls-bootstrapping.md @@ -130,6 +130,14 @@ rules: verbs: ["create"] ``` +As of 1.8, equivalent roles to the ones listed above are automatically created as part of the default RBAC roles. +For 1.8 clusters admins are recommended to bind tokens to the following roles instead of creating their own: + +* `system:certificates.k8s.io:certificatesigningrequests:io:certificatesigningrequests:nodeclient` + - Automatically approve CSRs for client certs bound to this role. +* `system:certificates.k8s.io:certificatesigningrequests:io:certificatesigningrequests:selfnodeclient` + - Automatically approve CSRs when a client bound to its role renews its own certificate. + These powers can be granted to credentials, such as bootstrapping tokens. For example, to replicate the behavior provided by the removed auto-approval flag, of approving all CSRs by a single group: