Adding /O=system:masters to admin certificate

Issue #1125. Make RBAC authorization plugin work out of the box. "When bootstrapping, superuser credentials should include the system:masters group, for example by creating a client cert with /O=system:masters. This gives those credentials full access to the API and allows an admin to then set up bindings for other users."

Adding /O=system:masters to admin certificate
69636d24 · Cesarini, Daniele · 7cb7eee2 · 69636d24
Commit 69636d24 authored 8 years ago by Cesarini, Daniele
--- a/roles/kubernetes/secrets/files/make-ssl.sh
+++ b/roles/kubernetes/secrets/files/make-ssl.sh
@@ -85,7 +85,7 @@ if [ -n "$MASTERS" ]; then
        cn="${host%%.*}"
        # admin key
        openssl genrsa -out admin-${host}-key.pem 2048 > /dev/null 2>&1
-        openssl req -new -key admin-${host}-key.pem -out admin-${host}.csr -subj "/CN=kube-admin-${cn}" > /dev/null 2>&1
+        openssl req -new -key admin-${host}-key.pem -out admin-${host}.csr -subj "/CN=kube-admin-${cn}/O=system:masters" > /dev/null 2>&1
        openssl x509 -req -in admin-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out admin-${host}.pem -days 3650 > /dev/null 2>&1
    done
 fi