diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go index a34d217f32..24450b2c70 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go @@ -230,6 +230,16 @@ func ClusterRoles() []rbac.ClusterRole { eventsRule(), }, }, + { + // a role to use for bootstrapping a node's client certificates + ObjectMeta: api.ObjectMeta{Name: "system:node-bootstrapper"}, + Rules: []rbac.PolicyRule{ + // used to check if the node already exists + rbac.NewRule("get").Groups(legacyGroup).Resources("nodes").RuleOrDie(), + // used to create a certificatesigningrequest for a node-specific client certificate, and watch for it to be signed + rbac.NewRule("create", "get", "list", "watch").Groups(certificatesGroup).Resources("certificatesigningrequests").RuleOrDie(), + }, + }, { // a role to use for allowing authentication and authorization delegation ObjectMeta: api.ObjectMeta{Name: "system:auth-delegator"}, diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml index 74b607d115..73ca300897 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml @@ -617,6 +617,31 @@ items: - endpoints verbs: - get +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRole + metadata: + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:node-bootstrapper + rules: + - apiGroups: + - "" + attributeRestrictions: null + resources: + - nodes + verbs: + - get + - apiGroups: + - certificates.k8s.io + attributeRestrictions: null + resources: + - certificatesigningrequests + verbs: + - create + - get + - list + - watch - apiVersion: rbac.authorization.k8s.io/v1alpha1 kind: ClusterRole metadata: