Add default worker group if RBAC is enabled

When RBAC is enabled, the worker joins the cluster need to be of the group "system:nodes". This is due to the default `clusterrolebinding` `system:node` can assign permissions to worker nodes.

Get the role binding details by `kubectl get clusterrolebinding system:nodes -o yaml`

So when creating keys for workers, we can use below command to generate X509 certs for a worker node:

```bash
openssl genrsa -out ${WORKER_FQDN}-worker-key.pem 2048
WORKER_IP=${WORKER_IP} openssl req -new -key ${WORKER_FQDN}-worker-key.pem -out ${WORKER_FQDN}-worker.csr -subj "/CN=${WORKER_FQDN}/O=system:nodes" -config worker-openssl.cnf
WORKER_IP=${WORKER_IP} openssl x509 -req -in ${WORKER_FQDN}-worker.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ${WORKER_FQDN}-worker.pem -days 365 -extensions v3_req -extfile worker-openssl.cnf
```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Add default worker group if RBAC is enabled #560

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Add default worker group if RBAC is enabled #560

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions