github.com/jlmeeker/kismatic@v1.10.1-0.20180612190640-57f9005a1f1a/docs/upgrade/v1.4.0/certificates.md (about)

     1  # Certificates
     2  
     3  The certificate generation process has been revamped to produce a more secure cluster.
     4  
     5  Previously, all nodes on the cluster had full access to the API server using the 
     6  admin account. Now that RBAC is enabled, we can take advantage of more granural
     7  authorization policies, and thus further secure the cluster.
     8  
     9  During the upgrade to v1.4.0, you will notice that new component-specific certificates
    10  will be generated. These certificates have a tighter access model than the previous node-level
    11  certificates used in the past.
    12  
    13  More information about certificates used in the cluster can be found [here](../../CERTIFICATES.md)
    14  
    15  ## Action Required: Admin Certificate
    16  One side effect of this change is that existing admin certificates are considered invalid. This 
    17  is because the admin user must belong to the `system:masters` group, which is achieved
    18  by including `system:masters` as an organization in the certificate. 
    19  
    20  For this reason, KET will backup the existing admin certificate and generate a new one with the right organization. This
    21  will only happen if KET detects that the certificate was generated by KET. In the case that the 
    22  certificate was provided to KET, you will have to remove the existing admin certificate
    23  before performing an upgrade.
    24  
    25  KET will also regenerate a kubeconfig file with the new admin certificate.