capi-kubeadm-control-plane-manager-rolebinding no longer uses aggregated-manager-role

[dkoshkin]

What steps did you take and what happened:
[A clear and concise description on how to REPRODUCE the bug.]
In v0.3.20
The capi-kubeadm-control-plane-manager-rolebinding used the capi-kubeadm-control-plane-aggregated-manager-role ClusterRole which allows the use of kubeadm.controlplane.cluster.x-k8s.io/aggregate-to-manager: "true" for the capi-kubeadm-control-plane-manager deployment to have additional RBAC permissions.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    cluster.x-k8s.io/provider: control-plane-kubeadm
  name: capi-kubeadm-control-plane-manager-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: capi-kubeadm-control-plane-aggregated-manager-role
subjects:
- kind: ServiceAccount
  name: default
  namespace: capi-kubeadm-control-plane-system

In in v0.4.0 the same ClusterRoleBinding is and kubeadm.controlplane.cluster.x-k8s.io/aggregate-to-manager: "true" no longer works:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    cluster.x-k8s.io/provider: control-plane-kubeadm
  name: capi-kubeadm-control-plane-manager-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: capi-kubeadm-control-plane-manager-role
subjects:
- kind: ServiceAccount
  name: capi-kubeadm-control-plane-manager
  namespace: capi-kubeadm-control-plane-system

What did you expect to happen:
The behavior should be the same in the new version v0.4.0.

Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]
Originally reported in https://kubernetes.slack.com/archives/C8TSNPY4T/p1625630307101000

---

Its possible to workaround this by creating an additional ClusterRoleBinding:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    cluster.x-k8s.io/provider: control-plane-kubeadm
  name: capi-kubeadm-control-plane-aggregated-manager-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: capi-kubeadm-control-plane-system-capi-kubeadm-control-plane-aggregated-manager-role
subjects:
  - kind: ServiceAccount
    name: capi-kubeadm-control-plane-manager
    namespace: capi-kubeadm-control-plane-system

Environment:

• Cluster-api version: v0.4.0
• Minikube/KIND version:
• Kubernetes version: (use kubectl version):
• OS (e.g. from /etc/os-release):

/kind bug
[One or more /area label. See https://github.com/kubernetes-sigs/cluster-api/labels?q=area for the list of labels]

[sbueringer]

@dkoshkin Thank you for reporting this. I went through our manifests and I think you're right. Looks to me like it wasn't intended and it didn't break CI because we only have tests which are using the APIgroups which are already included in the capi-kubeadm-control-plane-manager-role ClusterRole. I'll open a PR to fix it

[sbueringer]

/milestone v0.4
/assign
/lifecycle active

[k8s-ci-robot]

@sbueringer: You must be a member of the kubernetes-sigs/cluster-api-maintainers GitHub team to set the milestone. If you believe you should be able to issue the /milestone command, please contact your Cluster API Maintainers and have them propose you as an additional delegate for this responsibility.

In response to this:

/milestone v0.4
/assign
/lifecycle active

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[vincepri]

/milestone v0.4