Add kubeconfig's for kube-scheduler and kube-controller-manager

* Generate TLS client certificates for `kube-scheduler` and `kube-controller-manager` with `system:kube-scheduler` and `system:kube-controller-manager` CNs * Template separate kubeconfigs for kube-scheduler and kube-controller manager (`scheduler.conf` and `controller-manager.conf`). Rename admin for clarity * Before v1.16.0, Typhoon scheduled a self-hosted control plane, which allowed the steady-state kube-scheduler and kube-controller-manager to use a scoped ServiceAccount. With a static pod control plane, separate CN TLS client certificates are the nearest equiv. * https://kubernetes.io/docs/setup/best-practices/certificates/ * Remove unused Kubelet certificate, TLS bootstrap is used instead
2025-07-17 14:41:34 +02:00 · 2020-12-01 20:33:20 -08:00
parent 8ba23f364c
commit 804dfea0f9
21 changed files with 32 additions and 32 deletions
--- a/google-cloud/flatcar-linux/kubernetes/cl/controller.yaml
+++ b/google-cloud/flatcar-linux/kubernetes/cl/controller.yaml
@ -153,7 +153,7 @@ storage:
          chown -R etcd:etcd /etc/ssl/etcd
          chmod -R 500 /etc/ssl/etcd
          chmod -R 700 /var/lib/etcd
-          mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/
+          mv auth/* /etc/kubernetes/bootstrap-secrets/
          mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/
          mkdir -p /etc/kubernetes/manifests
          mv static-manifests/* /etc/kubernetes/manifests/
@ -167,7 +167,7 @@ storage:
      contents:
        inline: |
          #!/bin/bash -e
-          export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig
+          export KUBECONFIG=/etc/kubernetes/secrets/admin.conf
          until kubectl version; do
            echo "Waiting for static pod control plane"
            sleep 5