Use a lower-privilege Kubelet kubeconfig in system:nodes

* Kubelets can use a lower-privilege TLS client certificate with Org system:nodes and a binding to the system:node ClusterRole * Admin kubeconfig's continue to belong to Org system:masters to provide cluster-admin (available in assets/auth/kubeconfig or as a Terraform output kubeconfig-admin) * Remove bare-metal output variable kubeconfig
2025-07-01 07:24:36 +02:00 · 2019-01-02 23:30:42 -08:00
parent 1c6a0392ad
commit 812a1adb49
31 changed files with 46 additions and 48 deletions
--- a/digital-ocean/container-linux/kubernetes/bootkube.tf
+++ b/digital-ocean/container-linux/kubernetes/bootkube.tf
@ -1,6 +1,6 @@
 # Self-hosted Kubernetes assets (kubeconfig, manifests)
 module "bootkube" {
-  source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=f382415f2bc18c7a2d39a92fe254e3823a634270"
+  source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=a7bd306679a0ce8a9e5084f928af696a284a256b"

  cluster_name          = "${var.cluster_name}"
  api_servers           = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]
--- a/digital-ocean/container-linux/kubernetes/ssh.tf
+++ b/digital-ocean/container-linux/kubernetes/ssh.tf
@ -10,7 +10,7 @@ resource "null_resource" "copy-controller-secrets" {
  }

  provisioner "file" {
-    content     = "${module.bootkube.kubeconfig}"
+    content     = "${module.bootkube.kubeconfig-kubelet}"
    destination = "$HOME/kubeconfig"
  }

@ -78,7 +78,7 @@ resource "null_resource" "copy-worker-secrets" {
  }

  provisioner "file" {
-    content     = "${module.bootkube.kubeconfig}"
+    content     = "${module.bootkube.kubeconfig-kubelet}"
    destination = "$HOME/kubeconfig"
  }