From 0239dc1f6367cc357a4d495402fe7d66104fd9f0 Mon Sep 17 00:00:00 2001
From: Nick Turner <nic@amazon.com>
Date: Sun, 2 May 2021 00:56:35 -0700
Subject: [PATCH] Permission to create servcice account tokens

* We need the ability to create service account token
  because this is required by clientbuilder/controller-manager
  framework which we will be using in 1.21.
* This is required for the CCM to use 1 SA per controller, which
  follows principle of least privilege and makes audit logs easier
  to understand
* Restricts token creation to resource names "node-controller",
  "service-controller", and "route-controller".
---
 .../k8s-1.18.yaml.template                             | 10 ++++++++++
 .../aws-cloud-controller.addons.k8s.io-k8s-1.18.yaml   | 10 ++++++++++
 .../awscloudcontroller/manifest.yaml                   |  2 +-
 3 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/upup/models/cloudup/resources/addons/aws-cloud-controller.addons.k8s.io/k8s-1.18.yaml.template b/upup/models/cloudup/resources/addons/aws-cloud-controller.addons.k8s.io/k8s-1.18.yaml.template
index 2961e14829276..06bd70e33f174 100644
--- a/upup/models/cloudup/resources/addons/aws-cloud-controller.addons.k8s.io/k8s-1.18.yaml.template
+++ b/upup/models/cloudup/resources/addons/aws-cloud-controller.addons.k8s.io/k8s-1.18.yaml.template
@@ -145,6 +145,16 @@ rules:
   verbs:
   - list
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts/token
+  resourceNames:
+  - node-controller
+  - service-controller
+  - route-controller
+  verbs:
+  - create
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
diff --git a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/awscloudcontroller/aws-cloud-controller.addons.k8s.io-k8s-1.18.yaml b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/awscloudcontroller/aws-cloud-controller.addons.k8s.io-k8s-1.18.yaml
index 7e0783ee882eb..070c6e2031481 100644
--- a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/awscloudcontroller/aws-cloud-controller.addons.k8s.io-k8s-1.18.yaml
+++ b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/awscloudcontroller/aws-cloud-controller.addons.k8s.io-k8s-1.18.yaml
@@ -173,6 +173,16 @@ rules:
   verbs:
   - list
   - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - node-controller
+  - service-controller
+  - route-controller
+  resources:
+  - serviceaccounts/token
+  verbs:
+  - create
 
 ---
 
diff --git a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/awscloudcontroller/manifest.yaml b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/awscloudcontroller/manifest.yaml
index dc1b4a130158e..3490fd2cb6299 100644
--- a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/awscloudcontroller/manifest.yaml
+++ b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/awscloudcontroller/manifest.yaml
@@ -55,7 +55,7 @@ spec:
   - id: k8s-1.18
     kubernetesVersion: '>=1.18.0'
     manifest: aws-cloud-controller.addons.k8s.io/k8s-1.18.yaml
-    manifestHash: f3798709f4bc0eec2e211fda6f629fdae0e0b297
+    manifestHash: c0a92fc15661776506a8861a5600315b930a599b
     name: aws-cloud-controller.addons.k8s.io
     selector:
       k8s-addon: aws-cloud-controller.addons.k8s.io