Update installer job RBAC to grant approver permission

As of Kubernetes 1.18, explicit RBAC authorization is needed for the installer to approve a CSR (ie. to execute the "kubectl certificate approve" command).
nokia · May 14, 2020 · 51cff5f · 51cff5f
1 parent caaf9b5
commit 51cff5f
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 2 deletions.
diff --git a/integration/install/0danm-installer-rbac.yaml b/integration/install/0danm-installer-rbac.yaml
@@ -78,12 +78,26 @@ rules:
   - "certificates.k8s.io"
   resources:
   - certificatesigningrequests
-  - certificatesigningrequests/approval
   verbs:
-  - delete
   - get
+  - list
+  - watch
   - create
   - update
+- apiGroups:
+  - "certificates.k8s.io"
+  resources:
+  - certificatesigningrequests/approval
+  verbs:
+  - update
+- apiGroups:
+  - "certificates.k8s.io"
+  resources:
+  - signers
+  resourceNames:
+  - kubernetes.io/legacy-unknown
+  verbs:
+  - approve
 - apiGroups:
   - "admissionregistration.k8s.io"
   resources:

diff --git a/integration/manifests/webhook/webhook-create-signed-cert.sh b/integration/manifests/webhook/webhook-create-signed-cert.sh
@@ -86,6 +86,7 @@ spec:
   groups:
   - system:authenticated
   request: $(cat ${tmpdir}/server.csr | base64 | tr -d '\n')
+  signerName: kubernetes.io/legacy-unknown
   usages:
   - digital signature
   - key encipherment