Kubernetes the Hard Way: admin user's cert subject missing O=system:masters

[qrkourier]

I'm following @tashian's adaptation of Kubernetes the Hard Way with Step CA. I ran into a problem in step 8, "bootstrapping controllers". It's in this step that user admin first connects to the apiserver with a kubeconfig. The symptom I'm troubleshooting:

$ kubectl --kubeconfig admin.kubeconfig get clusterroles
Error from server (Forbidden): clusterroles.rbac.authorization.k8s.io is forbidden: User "admin" cannot list resource "clusterroles" in API group "rbac.authorization.k8s.io" at the cluster scope

Upon inspection, admin's client cert has subject, so if I understand correctly this property is missing the expected value O=system:masters:

$ openssl x509 -noout -subject < admin.pem 
subject=CN = admin

Admin's client cert was created with this command:

$ { sudo step ca certificate admin admin.pem admin-key.pem     --provisioner="kubernetes"     --provisioner-password-file="provisioner-password"     --set "Organization=system:masters"     --kty RSA; }

With provisioner template /etc/step-ca/templates/x509/kubernetes.tpl:

{
    "subject": {
{{- if .Insecure.User.Organization }}
        "organization": {{ toJson .Insecure.User.Organization }},
{{- end }}
        "commonName": {{ toJson .Subject.CommonName }},
        "organizationalUnit": {{ toJson .OrganizationalUnit }}
    },
    "sans": {{ toJson .SANs }},
{{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
          "keyUsage": ["keyEncipherment", "digitalSignature"],
{{- else }}
        "keyUsage": ["digitalSignature"],
{{- end }}
    "extKeyUsage": ["serverAuth", "clientAuth"]
}

I suspect a mismatch between the template reference .Insecure.User.Organization and the step ca certificate --set "Organization=system:masters" command.

[qrkourier]

I just realized that my /etc/step-ca/config/ca.json was missing the following:

  "claims": {
    "maxTLSCertDuration": "2160h",
    "defaultTLSCertDuration": "2160h"
  },
  "options": {
    "x509": {
      "templateFile": "templates/x509/kubernetes.tpl",
      "templateData": {
        "OrganizationalUnit": "Kubernetes The Hard Way"
      }
    }
  }

I suspect this caused all the certificates to be created without using the template.

This was almost certainly caused by the problem I attempted to patch in smallstep/kubernetes-the-hard-way#2 but apparently I forgot to use the fixed command and ended up issuing all the certificates with the default config that doesn't reference the templateFile.

I fixed ca.json and re-issued admin's client cert, but the subject property is still missing O=system:masters. I'm still missing something.