Merge pull request #53144 from mikedanese/kubelet-revoke

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

gce: revoke kubelet binding permissions

and move the binding addon to EnsureExists, so new clusters will pickup
the new binding and old clusters will keep the old binding. The binding
is no longer required now that we are migrating to node authorizer.

fixes https://github.com/kubernetes/kubernetes/issues/53151

cluster/addons/rbac/legacy-kubelet-user-disable/kubelet-binding.yaml

@@ -0,0 +1,14 @@
+# This is required so that old clusters don't remove required bindings for 1.5
+# kubelets to function.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kubelet-cluster-admin
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: EnsureExists
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:node
+subjects:

cluster/gce/gci/configure-helper.sh

@@ -1768,7 +1768,13 @@ function start-kube-addons {
   local -r dst_dir="/etc/kubernetes/addons"
 
   # prep addition kube-up specific rbac objects
-  setup-addon-manifests "addons" "rbac"
+  setup-addon-manifests "addons" "rbac/kubelet-api-auth"
+  setup-addon-manifests "addons" "rbac/kubelet-cert-rotation"
+  if [[ "${REGISTER_MASTER_KUBELET:-false}" == "true" ]]; then
+    setup-addon-manifests "addons" "rbac/legacy-kubelet-user"
+  else
+    setup-addon-manifests "addons" "rbac/legacy-kubelet-user-disabled"
+  fi
 
   if [[ "${ENABLE_POD_SECURITY_POLICY:-}" == "true" ]]; then
       setup-addon-manifests "addons" "podsecuritypolicies"