From f7532568beea4cbca3177254fb991b791e734773 Mon Sep 17 00:00:00 2001 From: Kelsey Hightower Date: Fri, 24 Mar 2017 04:16:29 -0700 Subject: [PATCH] document the RBAC role binding process for TLS bootstrapping --- docs/05-kubernetes-controller.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/05-kubernetes-controller.md b/docs/05-kubernetes-controller.md index e852ba5..74303f1 100644 --- a/docs/05-kubernetes-controller.md +++ b/docs/05-kubernetes-controller.md @@ -316,14 +316,14 @@ aws elb register-instances-with-load-balancer \ ## RBAC -Set up bootstrapping roles: +The following command will grant the `kubelet-bootstrap` user the permissions necessary to request a client TLS certificate. -``` -gcloud compute ssh controller0 -``` +Bind the `kubelet-bootstrap` user to the `system:node-bootstrapper` cluster role: ``` kubectl create clusterrolebinding kubelet-bootstrap \ --clusterrole=system:node-bootstrapper \ --user=kubelet-bootstrap ``` + +At this point kubelets can now request a TLS client certificate as defined in the [kubelet TLS bootstrapping guide](https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/).