From 9f2ac979ae12122f6d955ae4bd007fcef73b21ba Mon Sep 17 00:00:00 2001
From: Abhijit Hoskeri <hoskeri@google.com>
Date: Fri, 21 Oct 2022 11:57:07 -0700
Subject: [PATCH] Remove unused RBAC rule from system:kubelet-api-admin

cd54bd94e90dbf10a7e4f8a85a26cd036d589c57 removes the
handlers for /spec from the kubelet server.

Cleanup the RBAC rules as well.

Change-Id: Id6befbcacec27ad383e336b7189289f55c1c0a68
---
 .../addons/rbac/kubelet-api-auth/kubelet-api-admin-role.yaml    | 1 -
 plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go       | 2 +-
 .../authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml | 1 -
 3 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/cluster/addons/rbac/kubelet-api-auth/kubelet-api-admin-role.yaml b/cluster/addons/rbac/kubelet-api-auth/kubelet-api-admin-role.yaml
index 4eeb7672871..b19dd0d1e7e 100644
--- a/cluster/addons/rbac/kubelet-api-auth/kubelet-api-admin-role.yaml
+++ b/cluster/addons/rbac/kubelet-api-auth/kubelet-api-admin-role.yaml
@@ -13,6 +13,5 @@ rules:
   - nodes/log
   - nodes/stats
   - nodes/metrics
-  - nodes/spec
   verbs:
   - "*"
diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
index 85ef7b414f0..9302c0182bd 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
@@ -384,7 +384,7 @@ func ClusterRoles() []rbacv1.ClusterRole {
 				rbacv1helpers.NewRule("get", "list", "watch").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
 				// Allow all API calls to the nodes
 				rbacv1helpers.NewRule("proxy").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
-				rbacv1helpers.NewRule("*").Groups(legacyGroup).Resources("nodes/proxy", "nodes/metrics", "nodes/spec", "nodes/stats", "nodes/log").RuleOrDie(),
+				rbacv1helpers.NewRule("*").Groups(legacyGroup).Resources("nodes/proxy", "nodes/metrics", "nodes/stats", "nodes/log").RuleOrDie(),
 			},
 		},
 		{
diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
index e8d002b873b..0de6b3d58e7 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
@@ -914,7 +914,6 @@ items:
     - nodes/log
     - nodes/metrics
     - nodes/proxy
-    - nodes/spec
     - nodes/stats
     verbs:
     - '*'