Merge pull request #40938 from mikedanese/rotation-permission

Automatic merge from submit-queue (batch tested with PRs 40906, 40924, 40938, 40902, 40911)

allow the kubelet to request certificates
This commit is contained in:
Kubernetes Submit Queue 2017-02-04 03:49:52 -08:00 committed by GitHub
commit 839014ac04
2 changed files with 12 additions and 0 deletions

View File

@ -217,6 +217,9 @@ func ClusterRoles() []rbac.ClusterRole {
// TODO: change glusterfs to use DNS lookup so this isn't needed?
// Needed for glusterfs volumes
rbac.NewRule("get").Groups(legacyGroup).Resources("endpoints").RuleOrDie(),
// Used to create a certificatesigningrequest for a node-specific client certificate, and watch
// for it to be signed. This allows the kubelet to rotate it's own certificate.
rbac.NewRule("create", "get", "list", "watch").Groups(certificatesGroup).Resources("certificatesigningrequests").RuleOrDie(),
},
},
{

View File

@ -569,6 +569,15 @@ items:
- endpoints
verbs:
- get
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests
verbs:
- create
- get
- list
- watch
- apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata: