From b0ddc138da9f54bcb34f09030f22e9aa3b623698 Mon Sep 17 00:00:00 2001
From: SataQiu <1527062125@qq.com>
Date: Fri, 6 Aug 2021 16:19:46 +0800
Subject: [PATCH] followup #386: update the ClusterRole for
 yurt-controller-manager

---
 config/setup/yurt-controller-manager.yaml     | 27 ++++++++++++++++++-
 .../yurt-controller-manager.yaml              | 26 ++++++++++++++++++
 pkg/yurtctl/constants/constants.go            | 26 ++++++++++++++++++
 3 files changed, 78 insertions(+), 1 deletion(-)

diff --git a/config/setup/yurt-controller-manager.yaml b/config/setup/yurt-controller-manager.yaml
index 143e37d1a7a..d153a42351f 100644
--- a/config/setup/yurt-controller-manager.yaml
+++ b/config/setup/yurt-controller-manager.yaml
@@ -72,7 +72,32 @@ rules:
     verbs:
       - list
       - watch
-
+  - apiGroups:
+      - certificates.k8s.io
+    resources:
+      - certificatesigningrequests
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - certificates.k8s.io
+    resources:
+      - certificatesigningrequests/approval
+    verbs:
+      - get
+      - list
+      - watch
+      - update
+      - patch
+  - apiGroups:
+      - certificates.k8s.io
+    resources:
+      - signers
+    resourceNames:
+      - "kubernetes.io/legacy-unknown"
+    verbs:
+      - approve
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
diff --git a/config/yaml-template/yurt-controller-manager.yaml b/config/yaml-template/yurt-controller-manager.yaml
index 63f69216a9a..ecd551fa349 100644
--- a/config/yaml-template/yurt-controller-manager.yaml
+++ b/config/yaml-template/yurt-controller-manager.yaml
@@ -72,6 +72,32 @@ rules:
     verbs:
       - list
       - watch
+  - apiGroups:
+      - certificates.k8s.io
+    resources:
+      - certificatesigningrequests
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - certificates.k8s.io
+    resources:
+      - certificatesigningrequests/approval
+    verbs:
+      - get
+      - list
+      - watch
+      - update
+      - patch
+  - apiGroups:
+      - certificates.k8s.io
+    resources:
+      - signers
+    resourceNames:
+      - "kubernetes.io/legacy-unknown"
+    verbs:
+      - approve
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
diff --git a/pkg/yurtctl/constants/constants.go b/pkg/yurtctl/constants/constants.go
index fae3378c928..0dffade6372 100644
--- a/pkg/yurtctl/constants/constants.go
+++ b/pkg/yurtctl/constants/constants.go
@@ -108,6 +108,32 @@ rules:
   verbs:
   - list
   - watch
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests/approval
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - signers
+  resourceNames:
+  - "kubernetes.io/legacy-unknown"
+  verbs:
+  - approve
 `
 	YurtControllerManagerClusterRoleBinding = `
 apiVersion: rbac.authorization.k8s.io/v1