diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/BUILD b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/BUILD index 02467adc49f..5320c75b389 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/BUILD +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/BUILD @@ -18,11 +18,13 @@ go_library( tags = ["automanaged"], deps = [ "//pkg/apis/rbac:go_default_library", + "//pkg/features:go_default_library", "//vendor/github.com/golang/glog:go_default_library", "//vendor/k8s.io/apimachinery/pkg/api/meta:go_default_library", "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library", "//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library", + "//vendor/k8s.io/apiserver/pkg/util/feature:go_default_library", ], ) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go index bebac073509..9ae96202416 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go @@ -21,7 +21,9 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apiserver/pkg/authentication/user" + utilfeature "k8s.io/apiserver/pkg/util/feature" rbac "k8s.io/kubernetes/pkg/apis/rbac" + "k8s.io/kubernetes/pkg/features" ) var ( @@ -361,7 +363,32 @@ func ClusterRoles() []rbac.ClusterRole { eventsRule(), }, }, + { + // a role making the csrapprover controller approve a node client CSR + ObjectMeta: metav1.ObjectMeta{Name: "system:certificates.k8s.io:certificatesigningrequests:nodeclient"}, + Rules: []rbac.PolicyRule{ + rbac.NewRule("create").Groups(certificatesGroup).Resources("certificatesigningrequests/nodeclient").RuleOrDie(), + }, + }, + { + // a role making the csrapprover controller approve a node client CSR requested by the node itself + ObjectMeta: metav1.ObjectMeta{Name: "system:certificates.k8s.io:certificatesigningrequests:selfnodeclient"}, + Rules: []rbac.PolicyRule{ + rbac.NewRule("create").Groups(certificatesGroup).Resources("certificatesigningrequests/selfnodeclient").RuleOrDie(), + }, + }, } + + if utilfeature.DefaultFeatureGate.Enabled(features.RotateKubeletServerCertificate) { + roles = append(roles, rbac.ClusterRole{ + // a role making the csrapprover controller approve a node server CSR requested by the node itself + ObjectMeta: metav1.ObjectMeta{Name: "system:certificates.k8s.io:certificatesigningrequests:selfnodeserver"}, + Rules: []rbac.PolicyRule{ + rbac.NewRule("create").Groups(certificatesGroup).Resources("certificatesigningrequests/selfnodeserver").RuleOrDie(), + }, + }) + } + addClusterRoleLabel(roles) return roles } diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml index b36449fc68a..f183249bb52 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml @@ -362,6 +362,38 @@ items: - selfsubjectaccessreviews verbs: - create +- apiVersion: rbac.authorization.k8s.io/v1beta1 + kind: ClusterRole + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:certificates.k8s.io:certificatesigningrequests:nodeclient + rules: + - apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests/nodeclient + verbs: + - create +- apiVersion: rbac.authorization.k8s.io/v1beta1 + kind: ClusterRole + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:certificates.k8s.io:certificatesigningrequests:selfnodeclient + rules: + - apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests/selfnodeclient + verbs: + - create - apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: