From d11f5a0a20b92bb83fa4155a51f988c9614365a6 Mon Sep 17 00:00:00 2001
From: Jordan Liggitt <jliggitt@redhat.com>
Date: Tue, 17 Jan 2017 14:31:34 -0500
Subject: [PATCH] Add node TLS bootstrapping role

---
 .../authorizer/rbac/bootstrappolicy/policy.go | 10 ++++++++
 .../testdata/cluster-roles.yaml               | 25 +++++++++++++++++++
 2 files changed, 35 insertions(+)

diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
index ca0c5d921d7..215b474619f 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
@@ -223,6 +223,16 @@ func ClusterRoles() []rbac.ClusterRole {
 				eventsRule(),
 			},
 		},
+		{
+			// a role to use for bootstrapping a node's client certificates
+			ObjectMeta: api.ObjectMeta{Name: "system:node-bootstrapper"},
+			Rules: []rbac.PolicyRule{
+				// used to check if the node already exists
+				rbac.NewRule("get").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
+				// used to create a certificatesigningrequest for a node-specific client certificate, and watch for it to be signed
+				rbac.NewRule("create", "get", "list", "watch").Groups(certificatesGroup).Resources("certificatesigningrequests").RuleOrDie(),
+			},
+		},
 		{
 			// a role to use for allowing authentication and authorization delegation
 			ObjectMeta: api.ObjectMeta{Name: "system:auth-delegator"},
diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
index 305169c987a..8e8e93abba2 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
@@ -597,6 +597,31 @@ items:
     - endpoints
     verbs:
     - get
+- apiVersion: rbac.authorization.k8s.io/v1alpha1
+  kind: ClusterRole
+  metadata:
+    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
+    name: system:node-bootstrapper
+  rules:
+  - apiGroups:
+    - ""
+    attributeRestrictions: null
+    resources:
+    - nodes
+    verbs:
+    - get
+  - apiGroups:
+    - certificates.k8s.io
+    attributeRestrictions: null
+    resources:
+    - certificatesigningrequests
+    verbs:
+    - create
+    - get
+    - list
+    - watch
 - apiVersion: rbac.authorization.k8s.io/v1alpha1
   kind: ClusterRole
   metadata: