Currently the root-ca-cert-publisher was shadowed by BoundServiceAccountTokenVolume feature gate.

But its corresponding bootstrap RBAC policy was shadowed by TokenRequest feature gate. This patch fix it.
2018-11-26 13:13:18 +08:00 · 2018-11-26 13:13:18 +08:00 · 0bab5ee5ad
parent 1e50c57113
commit 0bab5ee5ad
3 changed files with 1 additions and 43 deletions
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
@ -353,7 +353,7 @@ func buildControllerRoles() ([]rbacv1.ClusterRole, []rbacv1.ClusterRoleBinding)
 		})
 	}

-	if utilfeature.DefaultFeatureGate.Enabled(features.TokenRequest) {
+	if utilfeature.DefaultFeatureGate.Enabled(features.BoundServiceAccountTokenVolume) {
 		addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
 			ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "root-ca-cert-publisher"},
 			Rules: []rbacv1.PolicyRule{
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml
@ -357,23 +357,6 @@ items:
  - kind: ServiceAccount
    name: resourcequota-controller
    namespace: kube-system
- apiVersion: rbac.authorization.k8s.io/v1
-  kind: ClusterRoleBinding
-  metadata:
-    annotations:
-      rbac.authorization.kubernetes.io/autoupdate: "true"
-    creationTimestamp: null
-    labels:
-      kubernetes.io/bootstrapping: rbac-defaults
-    name: system:controller:root-ca-cert-publisher
-  roleRef:
-    apiGroup: rbac.authorization.k8s.io
-    kind: ClusterRole
-    name: system:controller:root-ca-cert-publisher
-  subjects:
-  - kind: ServiceAccount
-    name: root-ca-cert-publisher
-    namespace: kube-system
 - apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRoleBinding
  metadata:
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml
@ -1031,31 +1031,6 @@ items:
    - create
    - patch
    - update
- apiVersion: rbac.authorization.k8s.io/v1
-  kind: ClusterRole
-  metadata:
-    annotations:
-      rbac.authorization.kubernetes.io/autoupdate: "true"
-    creationTimestamp: null
-    labels:
-      kubernetes.io/bootstrapping: rbac-defaults
-    name: system:controller:root-ca-cert-publisher
-  rules:
-  - apiGroups:
-    - ""
-    resources:
-    - configmaps
-    verbs:
-    - create
-    - update
-  - apiGroups:
-    - ""
-    resources:
-    - events
-    verbs:
-    - create
-    - patch
-    - update
 - apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRole
  metadata: