From 9947216abd80df0ccb9df83b630b893b07918e4e Mon Sep 17 00:00:00 2001
From: Andy Goldstein <agoldste@redhat.com>
Date: Mon, 13 Feb 2017 11:49:09 -0500
Subject: [PATCH] Allow controller manager to list/watch CSRs

---
 .../auth/authorizer/rbac/bootstrappolicy/policy.go | 14 ++++++++++++--
 .../bootstrappolicy/testdata/cluster-roles.yaml    |  9 ++++++++-
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
index e0ee757a044..6d52ef962ce 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
@@ -279,13 +279,23 @@ func ClusterRoles() []rbac.ClusterRole {
 				rbac.NewRule("get").Groups(legacyGroup).Resources("endpoints", "namespaces", "serviceaccounts").RuleOrDie(),
 				rbac.NewRule("update").Groups(legacyGroup).Resources("endpoints", "serviceaccounts").RuleOrDie(),
 
-				rbac.NewRule("list", "watch").Groups("*").Resources("namespaces", "nodes", "persistentvolumeclaims",
-					"persistentvolumes", "pods", "secrets", "services", "serviceaccounts", "replicationcontrollers").RuleOrDie(),
+				rbac.NewRule("list", "watch").Groups(legacyGroup).Resources(
+					"namespaces",
+					"nodes",
+					"persistentvolumeclaims",
+					"persistentvolumes",
+					"pods",
+					"secrets",
+					"services",
+					"serviceaccounts",
+					"replicationcontrollers",
+				).RuleOrDie(),
 				rbac.NewRule("list", "watch").Groups(extensionsGroup).Resources("daemonsets", "deployments", "replicasets").RuleOrDie(),
 				rbac.NewRule("list", "watch").Groups(batchGroup).Resources("jobs", "cronjobs").RuleOrDie(),
 				rbac.NewRule("list", "watch").Groups(appsGroup).Resources("statefulsets").RuleOrDie(),
 				rbac.NewRule("list", "watch").Groups(policyGroup).Resources("poddisruptionbudgets").RuleOrDie(),
 				rbac.NewRule("list", "watch").Groups(autoscalingGroup).Resources("horizontalpodautoscalers").RuleOrDie(),
+				rbac.NewRule("list", "watch").Groups(certificatesGroup).Resources("certificatesigningrequests").RuleOrDie(),
 			},
 		},
 		{
diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
index 99a6d8164de..cf430ab5ebd 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
@@ -444,7 +444,7 @@ items:
     verbs:
     - update
   - apiGroups:
-    - '*'
+    - ""
     resources:
     - namespaces
     - nodes
@@ -496,6 +496,13 @@ items:
     verbs:
     - list
     - watch
+  - apiGroups:
+    - certificates.k8s.io
+    resources:
+    - certificatesigningrequests
+    verbs:
+    - list
+    - watch
 - apiVersion: rbac.authorization.k8s.io/v1beta1
   kind: ClusterRole
   metadata: