Typo in ca.conf: kube-scheduler Organization has duplicate "system:" prefix #931
Description
Description
In ca.conf line 155, the [kube-scheduler_distinguished_name] section has a duplicated system: prefix in the Organization field:
O = system:system:kube-scheduler
It should be:
O = system:kube-scheduler
Comparison with other components
| Component | Organization (O) | Correct? |
|---|---|---|
| kube-controller-manager | system:kube-controller-manager | Yes |
| kube-proxy | system:node-proxier | Yes |
| kube-scheduler | system:system:kube-scheduler | No |
Impact
The Organization field in an X.509 certificate maps to Kubernetes RBAC groups. The incorrect value system:system:kube-scheduler places the scheduler in a non-standard group, which could cause authorization failures with the Kubernetes API server.
Verification
Generated a CSR using the buggy configuration and confirmed the incorrect Organization:
$ openssl req -in /tmp/test-scheduler.csr -noout -subject
subject=CN = system:kube-scheduler, O = system:system:kube-scheduler, C = US, ST = Washington, L = Seattle