Hi Team,
What is the difference between two files created by kubeadmin init command?
- /etc/kubernetes/admin.conf
- /etc/kubernetes/super-admin.conf
Thanks,
Sakshi
The best way to figure this out is to look at the files. Looking at both files, they are in kubeconfig format. So the difference will be in the Subject: field of the embedded user certificate. That you can see by doing:
controlplane /etc/kubernetes ā k --kubeconfig super-admin.conf config view --raw -o jsonpath='{.users[].user.client-certificate-data}' | base64 -d | openssl x509 -noout -text | grep Subject:
Subject: O = system:masters, CN = kubernetes-super-admin
controlplane /etc/kubernetes ā k --kubeconfig admin.conf config view --raw -o js
onpath='{.users[].user.client-certificate-data}' | base64 -d | openssl x509 -noo
ut -text | grep Subject:
Subject: O = kubeadm:cluster-admins, CN = kubernetes-admin
So they have different groups assigned to them. If you look at the clusterrolebindings,
| File | Group | ClusterRole |
|---|---|---|
| super-admin | system:master | ClusterRole/cluster-admin |
| admin | kubeadm:cluster-admins | ClusterRole/cluster-admin |
This looks like, at least for now, that the two different files ultimate grant the same rights, to my surprise. Iām guessing that in future, there will be tiered admin roles. But not yet.
Spoke a little too soon. The answer is in the docs:
Warning:
The kubeconfig file admin.conf that kubeadm init generates contains a certificate with Subject: O = kubeadm:cluster-admins, CN = kubernetes-admin. The group kubeadm:cluster-admins is bound to the built-in cluster-admin ClusterRole. Do not share the admin.conf file with anyone.
kubeadm init generates another kubeconfig file super-admin.conf that contains a certificate with Subject: O = system:masters, CN = kubernetes-super-admin. system:masters is a break-glass, super user group that bypasses the authorization layer (for example RBAC). Do not share the super-admin.conf file with anyone. It is recommended to move the file to a safe location.
See Generating kubeconfig files for additional users on how to use kubeadm kubeconfig user to generate kubeconfig files for additional users.