From e3f79588f4a21733c27d66639443435e070e2fb0 Mon Sep 17 00:00:00 2001
From: Jordan Liggitt <jliggitt@redhat.com>
Date: Thu, 19 Jan 2017 10:36:28 -0500
Subject: [PATCH] kubeadm: use built-in system:node-bootstrapper role

---
 .../app/phases/apiconfig/clusterroles.go      | 26 +++++--------------
 1 file changed, 6 insertions(+), 20 deletions(-)

diff --git a/cmd/kubeadm/app/phases/apiconfig/clusterroles.go b/cmd/kubeadm/app/phases/apiconfig/clusterroles.go
index a22febf857c..4bcabab0585 100644
--- a/cmd/kubeadm/app/phases/apiconfig/clusterroles.go
+++ b/cmd/kubeadm/app/phases/apiconfig/clusterroles.go
@@ -26,24 +26,8 @@ import (
 	"k8s.io/kubernetes/pkg/client/clientset_generated/clientset"
 )
 
-// CreateBootstrapRBACClusterRole creates the necessary ClusterRole for bootstrapping
+// CreateBootstrapRBACClusterRole grants the system:node-bootstrapper role to the group we created the bootstrap credential with
 func CreateBootstrapRBACClusterRole(clientset *clientset.Clientset) error {
-	clusterRole := rbac.ClusterRole{
-		ObjectMeta: metav1.ObjectMeta{Name: "kubeadm:kubelet-bootstrap"},
-		Rules: []rbac.PolicyRule{
-			rbac.NewRule("get").Groups("").Resources("nodes").RuleOrDie(),
-			rbac.NewRule("create", "watch").Groups("certificates.k8s.io").Resources("certificatesigningrequests").RuleOrDie(),
-		},
-	}
-	if _, err := clientset.Rbac().ClusterRoles().Create(&clusterRole); err != nil {
-		return err
-	}
-
-	subject := rbac.Subject{
-		Kind: "Group",
-		Name: "kubeadm:kubelet-bootstrap",
-	}
-
 	clusterRoleBinding := rbac.ClusterRoleBinding{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "kubeadm:kubelet-bootstrap",
@@ -51,14 +35,16 @@ func CreateBootstrapRBACClusterRole(clientset *clientset.Clientset) error {
 		RoleRef: rbac.RoleRef{
 			APIGroup: "rbac.authorization.k8s.io",
 			Kind:     "ClusterRole",
-			Name:     "kubeadm:kubelet-bootstrap",
+			Name:     "system:node-bootstrapper",
+		},
+		Subjects: []rbac.Subject{
+			rbac.Subject{Kind: "Group", Name: "kubeadm:kubelet-bootstrap"},
 		},
-		Subjects: []rbac.Subject{subject},
 	}
 	if _, err := clientset.Rbac().ClusterRoleBindings().Create(&clusterRoleBinding); err != nil {
 		return err
 	}
-	fmt.Println("[apiconfig] Created kubelet-bootstrap RBAC rules")
+	fmt.Println("[apiconfig] Created node bootstrapper RBAC rules")
 
 	return nil
 }