followup openyurtio#386: update the ClusterRole for yurt-controller-m…

…anager
SataQiu · Aug 6, 2021 · b0ddc13 · b0ddc13
1 parent 131c435
commit b0ddc13
Show file tree

Hide file tree

Showing 3 changed files with 78 additions and 1 deletion.
diff --git a/config/setup/yurt-controller-manager.yaml b/config/setup/yurt-controller-manager.yaml
@@ -72,7 +72,32 @@ rules:
     verbs:
       - list
       - watch
-
+  - apiGroups:
+      - certificates.k8s.io
+    resources:
+      - certificatesigningrequests
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - certificates.k8s.io
+    resources:
+      - certificatesigningrequests/approval
+    verbs:
+      - get
+      - list
+      - watch
+      - update
+      - patch
+  - apiGroups:
+      - certificates.k8s.io
+    resources:
+      - signers
+    resourceNames:
+      - "kubernetes.io/legacy-unknown"
+    verbs:
+      - approve
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

diff --git a/config/yaml-template/yurt-controller-manager.yaml b/config/yaml-template/yurt-controller-manager.yaml
@@ -72,6 +72,32 @@ rules:
     verbs:
       - list
       - watch
+  - apiGroups:
+      - certificates.k8s.io
+    resources:
+      - certificatesigningrequests
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - certificates.k8s.io
+    resources:
+      - certificatesigningrequests/approval
+    verbs:
+      - get
+      - list
+      - watch
+      - update
+      - patch
+  - apiGroups:
+      - certificates.k8s.io
+    resources:
+      - signers
+    resourceNames:
+      - "kubernetes.io/legacy-unknown"
+    verbs:
+      - approve
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

diff --git a/pkg/yurtctl/constants/constants.go b/pkg/yurtctl/constants/constants.go
@@ -108,6 +108,32 @@ rules:
   verbs:
   - list
   - watch
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests/approval
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - signers
+  resourceNames:
+  - "kubernetes.io/legacy-unknown"
+  verbs:
+  - approve
 `
 	YurtControllerManagerClusterRoleBinding = `
 apiVersion: rbac.authorization.k8s.io/v1