From 69636d2453faf2b74e8e154f29e3a49217d0b7dd Mon Sep 17 00:00:00 2001
From: "Cesarini, Daniele" <daniele.cesarini@sky.uk>
Date: Wed, 8 Mar 2017 14:42:25 +0000
Subject: [PATCH] Adding /O=system:masters to admin certificate

Issue #1125. Make RBAC authorization plugin work out of the box.
"When bootstrapping, superuser credentials should include the system:masters group, for example by creating a client cert with /O=system:masters. This gives those credentials full access to the API and allows an admin to then set up bindings for other users."
---
 roles/kubernetes/secrets/files/make-ssl.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/kubernetes/secrets/files/make-ssl.sh b/roles/kubernetes/secrets/files/make-ssl.sh
index 3cea6d79e..55ea13d1e 100755
--- a/roles/kubernetes/secrets/files/make-ssl.sh
+++ b/roles/kubernetes/secrets/files/make-ssl.sh
@@ -85,7 +85,7 @@ if [ -n "$MASTERS" ]; then
         cn="${host%%.*}"
         # admin key
         openssl genrsa -out admin-${host}-key.pem 2048 > /dev/null 2>&1
-        openssl req -new -key admin-${host}-key.pem -out admin-${host}.csr -subj "/CN=kube-admin-${cn}" > /dev/null 2>&1
+        openssl req -new -key admin-${host}-key.pem -out admin-${host}.csr -subj "/CN=kube-admin-${cn}/O=system:masters" > /dev/null 2>&1
         openssl x509 -req -in admin-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out admin-${host}.pem -days 3650 > /dev/null 2>&1
     done
 fi
-- 
GitLab