From 074f2da32a41317717a42765e25a92286ccfdf98 Mon Sep 17 00:00:00 2001 From: Mike Danese Date: Fri, 3 Feb 2017 11:51:26 -0800 Subject: [PATCH] allow the kubelet to request certificates This allows the rotation process to use the kubelet's credentials. --- .../pkg/auth/authorizer/rbac/bootstrappolicy/policy.go | 3 +++ .../rbac/bootstrappolicy/testdata/cluster-roles.yaml | 9 +++++++++ 2 files changed, 12 insertions(+) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go index 5c726d1121..5519e3093f 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go @@ -217,6 +217,9 @@ func ClusterRoles() []rbac.ClusterRole { // TODO: change glusterfs to use DNS lookup so this isn't needed? // Needed for glusterfs volumes rbac.NewRule("get").Groups(legacyGroup).Resources("endpoints").RuleOrDie(), + // Used to create a certificatesigningrequest for a node-specific client certificate, and watch + // for it to be signed. This allows the kubelet to rotate it's own certificate. + rbac.NewRule("create", "get", "list", "watch").Groups(certificatesGroup).Resources("certificatesigningrequests").RuleOrDie(), }, }, { diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml index 780680dbc5..6a43c95c04 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml @@ -569,6 +569,15 @@ items: - endpoints verbs: - get + - apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + verbs: + - create + - get + - list + - watch - apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: