Skip to content

Commit 3e5e73e

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request #48095 from neolit123/1.32-fix-wrong-info-about-admin.conf
kubeadm-certs: fix wrong info about admin.conf
2 parents 32ca284 + fa074af commit 3e5e73e

File tree

1 file changed

+15
-5
lines changed

1 file changed

+15
-5
lines changed

content/en/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md

Lines changed: 15 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -349,14 +349,24 @@ CSRs requesting serving certificates for any IP or domain name.
349349

350350
## Generating kubeconfig files for additional users {#kubeconfig-additional-users}
351351

352-
During cluster creation, kubeadm signs the certificate in the `admin.conf` to have
353-
`Subject: O = system:masters, CN = kubernetes-admin`.
352+
During cluster creation, `kubeadm init` signs the certificate in the `super-admin.conf`
353+
to have `Subject: O = system:masters, CN = kubernetes-super-admin`.
354354
[`system:masters`](/docs/reference/access-authn-authz/rbac/#user-facing-roles)
355355
is a break-glass, super user group that bypasses the authorization layer (for example,
356-
[RBAC](/docs/reference/access-authn-authz/rbac/)).
357-
Sharing the `admin.conf` with additional users is **not recommended**!
356+
[RBAC](/docs/reference/access-authn-authz/rbac/)). The file `admin.conf` is also created
357+
by kubeadm on control plane nodes and it contains a certificate with
358+
`Subject: O = kubeadm:cluster-admins, CN = kubernetes-admin`. `kubeadm:cluster-admins`
359+
is a group logically belonging to kubeadm. If your cluster uses RBAC
360+
(the kubeadm default), the `kubeadm:cluster-admins` group is bound to the
361+
[`cluster-admin`](/docs/reference/access-authn-authz/rbac/#user-facing-roles) ClusterRole.
358362

359-
Instead, you can use the [`kubeadm kubeconfig user`](/docs/reference/setup-tools/kubeadm/kubeadm-kubeconfig)
363+
{{< warning >}}
364+
Avoid sharing the `super-admin.conf` or `admin.conf` files. Instead, create least
365+
privileged access even for people who work as administrators and use that least
366+
privilege alternative for anything other than break-glass (emergency) access.
367+
{{< /warning >}}
368+
369+
You can use the [`kubeadm kubeconfig user`](/docs/reference/setup-tools/kubeadm/kubeadm-kubeconfig)
360370
command to generate kubeconfig files for additional users.
361371
The command accepts a mixture of command line flags and
362372
[kubeadm configuration](/docs/reference/config-api/kubeadm-config.v1beta4/) options.

0 commit comments

Comments
 (0)