Merge pull request #53009 from madhukar32/stop_create_csr_cr

Automatic merge from submit-queue (batch tested with PRs 51648, 53030, 53009). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>..

Removes creation of ClusterRole for CSR approval from kubeadm

**What this PR does / why we need it**:

Removes creation of ClusterRole for CSR approval from kubeadm. Starting v1.8, ClusterRole needed for the CSR approval are automatically created by api server.

See issue: https://github.com/kubernetes/kubeadm/issues/384


**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #

**Special notes for your reviewer**:

**Release note**:

```release-note
```

cmd/kubeadm/app/phases/bootstraptoken/node/BUILD

@@ -23,7 +23,6 @@ go_library(
         "//cmd/kubeadm/app/constants:go_default_library",
         "//cmd/kubeadm/app/util/apiclient:go_default_library",
         "//cmd/kubeadm/app/util/token:go_default_library",
-        "//pkg/apis/rbac/v1:go_default_library",
         "//pkg/bootstrap/api:go_default_library",
         "//pkg/util/version:go_default_library",
         "//vendor/k8s.io/api/core/v1:go_default_library",

cmd/kubeadm/app/phases/bootstraptoken/node/tlsbootstrap.go

@@ -24,7 +24,6 @@ import (
 	clientset "k8s.io/client-go/kubernetes"
 	"k8s.io/kubernetes/cmd/kubeadm/app/constants"
 	"k8s.io/kubernetes/cmd/kubeadm/app/util/apiclient"
-	rbachelper "k8s.io/kubernetes/pkg/apis/rbac/v1"
 	"k8s.io/kubernetes/pkg/util/version"
 )
 
@@ -37,6 +36,7 @@ const (
 
 	// CSRAutoApprovalClusterRoleName defines the name of the auto-bootstrapped ClusterRole for making the csrapprover controller auto-approve the CSR
 	// TODO: This value should be defined in an other, generic authz package instead of here
+	// Starting from v1.8, CSRAutoApprovalClusterRoleName is automatically created by the API server on startup
 	CSRAutoApprovalClusterRoleName = "system:certificates.k8s.io:certificatesigningrequests:nodeclient"
 	// NodeAutoApproveBootstrapClusterRoleBinding defines the name of the ClusterRoleBinding that makes the csrapprover approve node CSRs
 	NodeAutoApproveBootstrapClusterRoleBinding = "kubeadm:node-autoapprove-bootstrap"
@@ -70,22 +70,6 @@ func AutoApproveNodeBootstrapTokens(client clientset.Interface, k8sVersion *vers
 
 	fmt.Println("[bootstraptoken] Configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token")
 
-	// TODO: When the v1.9 cycle starts (targeting v1.9 at HEAD) and v1.8.0 is the minimum supported version, we can remove this function as the ClusterRole will always exist
-	if k8sVersion.LessThan(constants.MinimumCSRAutoApprovalClusterRolesVersion) {
-
-		err := apiclient.CreateOrUpdateClusterRole(client, &rbac.ClusterRole{
-			ObjectMeta: metav1.ObjectMeta{
-				Name: CSRAutoApprovalClusterRoleName,
-			},
-			Rules: []rbac.PolicyRule{
-				rbachelper.NewRule("create").Groups("certificates.k8s.io").Resources("certificatesigningrequests/nodeclient").RuleOrDie(),
-			},
-		})
-		if err != nil {
-			return err
-		}
-	}
-
 	// Always create this kubeadm-specific binding though
 	return apiclient.CreateOrUpdateClusterRoleBinding(client, &rbac.ClusterRoleBinding{
 		ObjectMeta: metav1.ObjectMeta{