From b24fd73d26f9992789837e161777ed01d1af2ab1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marko=20Mudrini=C4=87?= <mudrinic.mare@gmail.com>
Date: Thu, 16 Jul 2020 14:06:16 +0200
Subject: [PATCH] Add CSR RBAC to the example manifest

---
 examples/machine-controller.yaml | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/examples/machine-controller.yaml b/examples/machine-controller.yaml
index 2b7af7464..b07852123 100644
--- a/examples/machine-controller.yaml
+++ b/examples/machine-controller.yaml
@@ -456,6 +456,30 @@ rules:
   - "pods/eviction"
   verbs:
   - "create"
+# The following roles are required for NodeCSRApprover controller to be able
+# to reconcile CertificateSigningRequests for kubelet serving certificates.
+- apiGroups:
+  - "certificates.k8s.io"
+  resources:
+  - "certificatesigningrequests"
+  verbs:
+  - "get"
+  - "list"
+  - "watch"
+- apiGroups:
+  - "certificates.k8s.io"
+  resources:
+  - "certificatesigningrequests/approval"
+  verbs:
+  - "update"
+- apiGroups:
+  - "certificates.k8s.io"
+  resources:
+  - "signers"
+  resourceNames:
+  - "kubernetes.io/kubelet-serving"
+  verbs:
+  - "approve"
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding