Add a small note about auto-bootstrapped CSR ClusterRoles

kubernetes · Sep 28, 2017 · 1db3c95 · 1db3c95
1 parent 1b06ec8
commit 1db3c95
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/docs/admin/kubelet-tls-bootstrapping.md b/docs/admin/kubelet-tls-bootstrapping.md
@@ -130,6 +130,14 @@ rules:
   verbs: ["create"]
 ```
 
+As of 1.8, equivalent roles to the ones listed above are automatically created as part of the default RBAC roles.
+For 1.8 clusters admins are recommended to bind tokens to the following roles instead of creating their own:
+
+* `system:certificates.k8s.io:certificatesigningrequests:io:certificatesigningrequests:nodeclient`
+    - Automatically approve CSRs for client certs bound to this role.
+* `system:certificates.k8s.io:certificatesigningrequests:io:certificatesigningrequests:selfnodeclient`
+    - Automatically approve CSRs when a client bound to its role renews its own certificate.
+
 These powers can be granted to credentials, such as bootstrapping tokens. For example, to replicate the behavior
 provided by the removed auto-approval flag, of approving all CSRs by a single group: