From ad8c9a3b8aa93ca83a9bf238aa2efc337eb48700 Mon Sep 17 00:00:00 2001
From: madhukar32 <madhukarnayak@hotmail.com>
Date: Mon, 25 Sep 2017 09:06:27 -0700
Subject: [PATCH] Removes creation of CSR approval CR from kubeadm

---
 .../app/phases/bootstraptoken/node/BUILD       |  1 -
 .../phases/bootstraptoken/node/tlsbootstrap.go | 18 +-----------------
 2 files changed, 1 insertion(+), 18 deletions(-)

diff --git a/cmd/kubeadm/app/phases/bootstraptoken/node/BUILD b/cmd/kubeadm/app/phases/bootstraptoken/node/BUILD
index 883e3fb76c..f801f055d8 100644
--- a/cmd/kubeadm/app/phases/bootstraptoken/node/BUILD
+++ b/cmd/kubeadm/app/phases/bootstraptoken/node/BUILD
@@ -23,7 +23,6 @@ go_library(
         "//cmd/kubeadm/app/constants:go_default_library",
         "//cmd/kubeadm/app/util/apiclient:go_default_library",
         "//cmd/kubeadm/app/util/token:go_default_library",
-        "//pkg/apis/rbac/v1:go_default_library",
         "//pkg/bootstrap/api:go_default_library",
         "//pkg/util/version:go_default_library",
         "//vendor/k8s.io/api/core/v1:go_default_library",
diff --git a/cmd/kubeadm/app/phases/bootstraptoken/node/tlsbootstrap.go b/cmd/kubeadm/app/phases/bootstraptoken/node/tlsbootstrap.go
index cfa592afac..a2278f2010 100644
--- a/cmd/kubeadm/app/phases/bootstraptoken/node/tlsbootstrap.go
+++ b/cmd/kubeadm/app/phases/bootstraptoken/node/tlsbootstrap.go
@@ -24,7 +24,6 @@ import (
 	clientset "k8s.io/client-go/kubernetes"
 	"k8s.io/kubernetes/cmd/kubeadm/app/constants"
 	"k8s.io/kubernetes/cmd/kubeadm/app/util/apiclient"
-	rbachelper "k8s.io/kubernetes/pkg/apis/rbac/v1"
 	"k8s.io/kubernetes/pkg/util/version"
 )
 
@@ -37,6 +36,7 @@ const (
 
 	// CSRAutoApprovalClusterRoleName defines the name of the auto-bootstrapped ClusterRole for making the csrapprover controller auto-approve the CSR
 	// TODO: This value should be defined in an other, generic authz package instead of here
+	// Starting from v1.8, CSRAutoApprovalClusterRoleName is automatically created by the API server on startup
 	CSRAutoApprovalClusterRoleName = "system:certificates.k8s.io:certificatesigningrequests:nodeclient"
 	// NodeAutoApproveBootstrapClusterRoleBinding defines the name of the ClusterRoleBinding that makes the csrapprover approve node CSRs
 	NodeAutoApproveBootstrapClusterRoleBinding = "kubeadm:node-autoapprove-bootstrap"
@@ -70,22 +70,6 @@ func AutoApproveNodeBootstrapTokens(client clientset.Interface, k8sVersion *vers
 
 	fmt.Println("[bootstraptoken] Configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token")
 
-	// TODO: When the v1.9 cycle starts (targeting v1.9 at HEAD) and v1.8.0 is the minimum supported version, we can remove this function as the ClusterRole will always exist
-	if k8sVersion.LessThan(constants.MinimumCSRAutoApprovalClusterRolesVersion) {
-
-		err := apiclient.CreateOrUpdateClusterRole(client, &rbac.ClusterRole{
-			ObjectMeta: metav1.ObjectMeta{
-				Name: CSRAutoApprovalClusterRoleName,
-			},
-			Rules: []rbac.PolicyRule{
-				rbachelper.NewRule("create").Groups("certificates.k8s.io").Resources("certificatesigningrequests/nodeclient").RuleOrDie(),
-			},
-		})
-		if err != nil {
-			return err
-		}
-	}
-
 	// Always create this kubeadm-specific binding though
 	return apiclient.CreateOrUpdateClusterRoleBinding(client, &rbac.ClusterRoleBinding{
 		ObjectMeta: metav1.ObjectMeta{