Use a lower-privilege Kubelet kubeconfig in system:nodes

* Kubelets can use a lower-privilege TLS client certificate with Org system:nodes and a binding to the system:node ClusterRole * Admin kubeconfig's continue to belong to Org system:masters to provide cluster-admin (available in assets/auth/kubeconfig or as a Terraform output kubeconfig-admin) * Remove bare-metal output variable kubeconfig
2025-08-11 14:36:04 +02:00 · 2019-01-02 23:30:42 -08:00
parent 1c6a0392ad
commit 812a1adb49
31 changed files with 46 additions and 48 deletions
--- a/CHANGES.md
+++ b/CHANGES.md
@ -4,13 +4,19 @@ Notable changes between versions.

 ## Latest

-* Add ServiceAccounts for `kube-apiserver` and `kube-scheduler`
+* Add ServiceAccounts for `kube-apiserver` and `kube-scheduler` ([#370](https://github.com/poseidon/typhoon/pull/370))
+* Use a lower-privilege TLS client certificate with org `system:nodes` for Kubelets ([#372](https://github.com/poseidon/typhoon/pull/372))
+  * Bind the `system:nodes` group to the `system:node` ClusterRole

 #### AWS

 * Change `controller_type` and `worker_type` default from t2.small to t3.small
  * t3.small is cheaper, provides 2 vCPU (instead of 1), and 5 Gbps of pod-to-pod bandwidth!

+#### Bare-Metal
+
+* Remove the `kubeconfig` output variable
+
 #### Addons

 * Update Prometheus from v2.5.0 to v2.6.0