Adding /O=system:masters to admin certificate
Issue #1125. Make RBAC authorization plugin work out of the box. "When bootstrapping, superuser credentials should include the system:masters group, for example by creating a client cert with /O=system:masters. This gives those credentials full access to the API and allows an admin to then set up bindings for other users."pull/1254/head
parent
7cb7eee29d
commit
69636d2453
|
@ -85,7 +85,7 @@ if [ -n "$MASTERS" ]; then
|
|||
cn="${host%%.*}"
|
||||
# admin key
|
||||
openssl genrsa -out admin-${host}-key.pem 2048 > /dev/null 2>&1
|
||||
openssl req -new -key admin-${host}-key.pem -out admin-${host}.csr -subj "/CN=kube-admin-${cn}" > /dev/null 2>&1
|
||||
openssl req -new -key admin-${host}-key.pem -out admin-${host}.csr -subj "/CN=kube-admin-${cn}/O=system:masters" > /dev/null 2>&1
|
||||
openssl x509 -req -in admin-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out admin-${host}.pem -days 3650 > /dev/null 2>&1
|
||||
done
|
||||
fi
|
||||
|
|
Loading…
Reference in New Issue