Split k8s client certificate by services. Each k8s service should have own CN for RBAC. kubelet should belong to group system:nodes. Change-Id: If1c9f5820af2801909c42ebc56bd127ae42ff4ec

commit: 97fbd988b735c8caf2e8fab52a4a13f1870c87ce [log] [tgz]
author: Andrey Shestakov <ashestakov@mirantis.com> Wed Dec 27 22:29:11 2017 +0200
committer: Andrey Shestakov <ashestakov@mirantis.com> Fri Jan 05 14:08:12 2018 +0200
tree: 779db36b8e11585d9cfccf5428433104fd10deb8
parent: beffa36e11d3f4791286c99d8e720a8635f1267e [diff]
diff --git a/salt/minion/cert/k8s_client.yml b/salt/minion/cert/k8s_client.yml
index 06d83c4..be262b5 100644
--- a/salt/minion/cert/k8s_client.yml
+++ b/salt/minion/cert/k8s_client.yml

@@ -8,6 +8,34 @@
           key_file: /etc/kubernetes/ssl/kubelet-client.key
           cert_file: /etc/kubernetes/ssl/kubelet-client.crt
           ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
-          common_name: kubelet-client
+          common_name: system:node:${linux:system:name}
+          organization_name: system:nodes
           signing_policy: cert_client
-          alternative_names: IP:${_param:cluster_vip_address},IP:${_param:cluster_node01_address},IP:${_param:cluster_node02_address},IP:${_param:cluster_node03_address},IP:${_param:kubernetes_internal_api_address}
\ No newline at end of file
+          alternative_names: IP:${_param:cluster_vip_address},IP:${_param:cluster_node01_address},IP:${_param:cluster_node02_address},IP:${_param:cluster_node03_address},IP:${_param:kubernetes_internal_api_address}
+        k8s_proxy:
+          host: ${_param:salt_minion_ca_host}
+          authority: ${_param:salt_minion_ca_authority}
+          key_file: /etc/kubernetes/ssl/kube-proxy-client.key
+          cert_file: /etc/kubernetes/ssl/kube-proxy-client.crt
+          ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
+          common_name: system:kube-proxy
+          signing_policy: cert_client
+          alternative_names: IP:${_param:cluster_vip_address},IP:${_param:cluster_node01_address},IP:${_param:cluster_node02_address},IP:${_param:cluster_node03_address},IP:${_param:kubernetes_internal_api_address}
+        k8s_scheduler:
+          host: ${_param:salt_minion_ca_host}
+          authority: ${_param:salt_minion_ca_authority}
+          key_file: /etc/kubernetes/ssl/kube-scheduler-client.key
+          cert_file: /etc/kubernetes/ssl/kube-scheduler-client.crt
+          ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
+          common_name: system:kube-scheduler
+          signing_policy: cert_client
+          alternative_names: IP:${_param:cluster_vip_address},IP:${_param:cluster_node01_address},IP:${_param:cluster_node02_address},IP:${_param:cluster_node03_address},IP:${_param:kubernetes_internal_api_address}
+        k8s_controller_manager:
+          host: ${_param:salt_minion_ca_host}
+          authority: ${_param:salt_minion_ca_authority}
+          key_file: /etc/kubernetes/ssl/kube-controller-manager-client.key
+          cert_file: /etc/kubernetes/ssl/kube-controller-manager-client.crt
+          ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
+          common_name: system:kube-controller-manager
+          signing_policy: cert_client
+          alternative_names: IP:${_param:cluster_vip_address},IP:${_param:cluster_node01_address},IP:${_param:cluster_node02_address},IP:${_param:cluster_node03_address},IP:${_param:kubernetes_internal_api_address}

diff --git a/salt/minion/cert/k8s_client_single.yml b/salt/minion/cert/k8s_client_single.yml
index 179d534..e9c7d79 100644
--- a/salt/minion/cert/k8s_client_single.yml
+++ b/salt/minion/cert/k8s_client_single.yml

@@ -8,6 +8,34 @@
           key_file: /etc/kubernetes/ssl/kubelet-client.key
           cert_file: /etc/kubernetes/ssl/kubelet-client.crt
           ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
-          common_name: kubelet-client
+          common_name: system:node:${linux:system:name}
+          organization_name: system:nodes
           signing_policy: cert_client
-          alternative_names: IP:${_param:control_address},IP:${_param:kubernetes_internal_api_address}
\ No newline at end of file
+          alternative_names: IP:${_param:control_address},IP:${_param:kubernetes_internal_api_address}
+        k8s_proxy:
+          host: ${_param:salt_minion_ca_host}
+          authority: ${_param:salt_minion_ca_authority}
+          key_file: /etc/kubernetes/ssl/kube-proxy-client.key
+          cert_file: /etc/kubernetes/ssl/kube-proxy-client.crt
+          ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
+          common_name: system:kube-proxy
+          signing_policy: cert_client
+          alternative_names: IP:${_param:control_address},IP:${_param:kubernetes_internal_api_address}
+        k8s_scheduler:
+          host: ${_param:salt_minion_ca_host}
+          authority: ${_param:salt_minion_ca_authority}
+          key_file: /etc/kubernetes/ssl/kube-scheduler-client.key
+          cert_file: /etc/kubernetes/ssl/kube-scheduler-client.crt
+          ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
+          common_name: system:kube-scheduler
+          signing_policy: cert_client
+          alternative_names: IP:${_param:control_address},IP:${_param:kubernetes_internal_api_address}
+        k8s_controller_manager:
+          host: ${_param:salt_minion_ca_host}
+          authority: ${_param:salt_minion_ca_authority}
+          key_file: /etc/kubernetes/ssl/kube-controller-manager-client.key
+          cert_file: /etc/kubernetes/ssl/kube-controller-manager-client.crt
+          ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
+          common_name: system:kube-controller-manager
+          signing_policy: cert_client
+          alternative_names: IP:${_param:control_address},IP:${_param:kubernetes_internal_api_address}
commit	97fbd988b735c8caf2e8fab52a4a13f1870c87ce	[log] [tgz]
author	Andrey Shestakov <ashestakov@mirantis.com>	Wed Dec 27 22:29:11 2017 +0200
committer	Andrey Shestakov <ashestakov@mirantis.com>	Fri Jan 05 14:08:12 2018 +0200
tree	779db36b8e11585d9cfccf5428433104fd10deb8
parent	beffa36e11d3f4791286c99d8e720a8635f1267e [diff]