Removes creation of CSR approval CR from kubeadm

2025-07-30 06:54:01 +00:00 · 2017-09-25 09:06:27 -07:00 · 2017-09-25 09:06:27 -07:00 · ad8c9a3b8a
commit ad8c9a3b8a
parent b188868fd9
2 changed files with 1 additions and 18 deletions
--- a/cmd/kubeadm/app/phases/bootstraptoken/node/BUILD
+++ b/cmd/kubeadm/app/phases/bootstraptoken/node/BUILD
@ -23,7 +23,6 @@ go_library(
        "//cmd/kubeadm/app/constants:go_default_library",
        "//cmd/kubeadm/app/util/apiclient:go_default_library",
        "//cmd/kubeadm/app/util/token:go_default_library",
-        "//pkg/apis/rbac/v1:go_default_library",
        "//pkg/bootstrap/api:go_default_library",
        "//pkg/util/version:go_default_library",
        "//vendor/k8s.io/api/core/v1:go_default_library",
--- a/cmd/kubeadm/app/phases/bootstraptoken/node/tlsbootstrap.go
+++ b/cmd/kubeadm/app/phases/bootstraptoken/node/tlsbootstrap.go
@ -24,7 +24,6 @@ import (
 	clientset "k8s.io/client-go/kubernetes"
 	"k8s.io/kubernetes/cmd/kubeadm/app/constants"
 	"k8s.io/kubernetes/cmd/kubeadm/app/util/apiclient"
-	rbachelper "k8s.io/kubernetes/pkg/apis/rbac/v1"
 	"k8s.io/kubernetes/pkg/util/version"
 )

@ -37,6 +36,7 @@ const (

 	// CSRAutoApprovalClusterRoleName defines the name of the auto-bootstrapped ClusterRole for making the csrapprover controller auto-approve the CSR
 	// TODO: This value should be defined in an other, generic authz package instead of here
+	// Starting from v1.8, CSRAutoApprovalClusterRoleName is automatically created by the API server on startup
 	CSRAutoApprovalClusterRoleName = "system:certificates.k8s.io:certificatesigningrequests:nodeclient"
 	// NodeAutoApproveBootstrapClusterRoleBinding defines the name of the ClusterRoleBinding that makes the csrapprover approve node CSRs
 	NodeAutoApproveBootstrapClusterRoleBinding = "kubeadm:node-autoapprove-bootstrap"
@ -70,22 +70,6 @@ func AutoApproveNodeBootstrapTokens(client clientset.Interface, k8sVersion *vers

 	fmt.Println("[bootstraptoken] Configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token")

-	// TODO: When the v1.9 cycle starts (targeting v1.9 at HEAD) and v1.8.0 is the minimum supported version, we can remove this function as the ClusterRole will always exist
-	if k8sVersion.LessThan(constants.MinimumCSRAutoApprovalClusterRolesVersion) {
-
-		err := apiclient.CreateOrUpdateClusterRole(client, &rbac.ClusterRole{
-			ObjectMeta: metav1.ObjectMeta{
-				Name: CSRAutoApprovalClusterRoleName,
-			},
-			Rules: []rbac.PolicyRule{
-				rbachelper.NewRule("create").Groups("certificates.k8s.io").Resources("certificatesigningrequests/nodeclient").RuleOrDie(),
-			},
-		})
-		if err != nil {
-			return err
-		}
-	}
-
 	// Always create this kubeadm-specific binding though
 	return apiclient.CreateOrUpdateClusterRoleBinding(client, &rbac.ClusterRoleBinding{
 		ObjectMeta: metav1.ObjectMeta{