kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

kubeadm/create-cluster: add warning about admin.conf 

Add warning that the file must not be shared as it has super powers
that cannot be revoked.
This commit is contained in:
Lubomir I. Ivanov 2021-03-19 17:48:29 +02:00
parent bb2f640858
commit 669322a78c
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
content/en/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm.md
View File

@ -187,6 +187,13 @@ Alternatively, if you are the `root` user, you can run:
export KUBECONFIG=/etc/kubernetes/admin.conf
```
{{< warning >}}
Kubeadm signs the certificate in the `admin.conf` to have `Subject: O = system:masters, CN = kubernetes-admin`.
`system:masters` is a break-glass, super user group that bypasses the authorization layer (e.g. RBAC).
Do not share the `admin.conf` file with anyone and instead grant users custom permissions by generating
them a kubeconfig file using the `kubeadm kubeconfig user` command.
{{< /warning >}}
Make a record of the `kubeadm join` command that `kubeadm init` outputs. You
need this command to [join nodes to your cluster](#join-nodes).