Merge pull request #117414 from ialidzhikov/cleanup/kcm-endpoint-leader-election-rbac

Remove endpoints (old leader election) related RBAC from kube-controller-manager ClusterRole

plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go

@@ -432,9 +432,6 @@ func ClusterRoles() []rbacv1.ClusterRole {
 				// Needed for leader election.
 				rbacv1helpers.NewRule("create").Groups(coordinationGroup).Resources("leases").RuleOrDie(),
 				rbacv1helpers.NewRule("get", "update").Groups(coordinationGroup).Resources("leases").Names("kube-controller-manager").RuleOrDie(),
-				// TODO: Remove once we fully migrate to lease in leader-election.
-				rbacv1helpers.NewRule("create").Groups(legacyGroup).Resources("endpoints").RuleOrDie(),
-				rbacv1helpers.NewRule("get", "update").Groups(legacyGroup).Resources("endpoints").Names("kube-controller-manager").RuleOrDie(),
 				// Fundamental resources.
 				rbacv1helpers.NewRule("create").Groups(legacyGroup).Resources("secrets", "serviceaccounts").RuleOrDie(),
 				rbacv1helpers.NewRule("delete").Groups(legacyGroup).Resources("secrets").RuleOrDie(),

plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml

@@ -636,21 +636,6 @@ items:
     verbs:
     - get
     - update
-  - apiGroups:
-    - ""
-    resources:
-    - endpoints
-    verbs:
-    - create
-  - apiGroups:
-    - ""
-    resourceNames:
-    - kube-controller-manager
-    resources:
-    - endpoints
-    verbs:
-    - get
-    - update
   - apiGroups:
     - ""
     resources: