Merge pull request #53009 from madhukar32/stop_create_csr_cr

Automatic merge from submit-queue (batch tested with PRs 51648, 53030, 53009). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.. Removes creation of ClusterRole for CSR approval from kubeadm **What this PR does / why we need it**: Removes creation of ClusterRole for CSR approval from kubeadm. Starting v1.8, ClusterRole needed for the CSR approval are automatically created by api server. See issue: https://github.com/kubernetes/kubeadm/issues/384 **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # **Special notes for your reviewer**: **Release note**: ```release-note ```
2017-09-26 12:32:14 -07:00 · 2017-09-26 12:32:14 -07:00 · 7374678d12
parent c7c327752f ad8c9a3b8a
commit 7374678d12
2 changed files with 1 additions and 18 deletions
--- a/cmd/kubeadm/app/phases/bootstraptoken/node/BUILD
+++ b/cmd/kubeadm/app/phases/bootstraptoken/node/BUILD
@ -23,7 +23,6 @@ go_library(
        "//cmd/kubeadm/app/constants:go_default_library",
        "//cmd/kubeadm/app/util/apiclient:go_default_library",
        "//cmd/kubeadm/app/util/token:go_default_library",
-        "//pkg/apis/rbac/v1:go_default_library",
        "//pkg/bootstrap/api:go_default_library",
        "//pkg/util/version:go_default_library",
        "//vendor/k8s.io/api/core/v1:go_default_library",
--- a/cmd/kubeadm/app/phases/bootstraptoken/node/tlsbootstrap.go
+++ b/cmd/kubeadm/app/phases/bootstraptoken/node/tlsbootstrap.go
@ -24,7 +24,6 @@ import (
 	clientset "k8s.io/client-go/kubernetes"
 	"k8s.io/kubernetes/cmd/kubeadm/app/constants"
 	"k8s.io/kubernetes/cmd/kubeadm/app/util/apiclient"
-	rbachelper "k8s.io/kubernetes/pkg/apis/rbac/v1"
 	"k8s.io/kubernetes/pkg/util/version"
 )

@ -37,6 +36,7 @@ const (

 	// CSRAutoApprovalClusterRoleName defines the name of the auto-bootstrapped ClusterRole for making the csrapprover controller auto-approve the CSR
 	// TODO: This value should be defined in an other, generic authz package instead of here
+	// Starting from v1.8, CSRAutoApprovalClusterRoleName is automatically created by the API server on startup
 	CSRAutoApprovalClusterRoleName = "system:certificates.k8s.io:certificatesigningrequests:nodeclient"
 	// NodeAutoApproveBootstrapClusterRoleBinding defines the name of the ClusterRoleBinding that makes the csrapprover approve node CSRs
 	NodeAutoApproveBootstrapClusterRoleBinding = "kubeadm:node-autoapprove-bootstrap"
@ -70,22 +70,6 @@ func AutoApproveNodeBootstrapTokens(client clientset.Interface, k8sVersion *vers

 	fmt.Println("[bootstraptoken] Configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token")

-	// TODO: When the v1.9 cycle starts (targeting v1.9 at HEAD) and v1.8.0 is the minimum supported version, we can remove this function as the ClusterRole will always exist
-	if k8sVersion.LessThan(constants.MinimumCSRAutoApprovalClusterRolesVersion) {
-
-		err := apiclient.CreateOrUpdateClusterRole(client, &rbac.ClusterRole{
-			ObjectMeta: metav1.ObjectMeta{
-				Name: CSRAutoApprovalClusterRoleName,
-			},
-			Rules: []rbac.PolicyRule{
-				rbachelper.NewRule("create").Groups("certificates.k8s.io").Resources("certificatesigningrequests/nodeclient").RuleOrDie(),
-			},
-		})
-		if err != nil {
-			return err
-		}
-	}
-
 	// Always create this kubeadm-specific binding though
 	return apiclient.CreateOrUpdateClusterRoleBinding(client, &rbac.ClusterRoleBinding{
 		ObjectMeta: metav1.ObjectMeta{