Merge pull request #133409 from carlory/fix-rbac-podcertificaterequestcleaner

Make podcertificaterequestcleaner role feature-gated
2026-01-27 10:19:35 +00:00 · 2025-08-07 08:53:43 -07:00
parent 8ac9a3c089 89b5034d56
commit ee065dfc80
3 changed files with 8 additions and 40 deletions
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
@@ -430,12 +430,14 @@ func buildControllerRoles() ([]rbacv1.ClusterRole, []rbacv1.ClusterRoleBinding)
 			eventsRule(),
 		},
 	})
-	addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
-		ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "podcertificaterequestcleaner"},
-		Rules: []rbacv1.PolicyRule{
-			rbacv1helpers.NewRule("get", "list", "watch", "delete").Groups(certificatesGroup).Resources("podcertificaterequests").RuleOrDie(),
-		},
-	})
+	if utilfeature.DefaultFeatureGate.Enabled(features.PodCertificateRequest) {
+		addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
+			ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "podcertificaterequestcleaner"},
+			Rules: []rbacv1.PolicyRule{
+				rbacv1helpers.NewRule("get", "list", "watch", "delete").Groups(certificatesGroup).Resources("podcertificaterequests").RuleOrDie(),
+			},
+		})
+	}
 	addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
 		ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "pvc-protection-controller"},
 		Rules: []rbacv1.PolicyRule{
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml
@@ -320,22 +320,6 @@ items:
  - kind: ServiceAccount
    name: pod-garbage-collector
    namespace: kube-system
- apiVersion: rbac.authorization.k8s.io/v1
-  kind: ClusterRoleBinding
-  metadata:
-    annotations:
-      rbac.authorization.kubernetes.io/autoupdate: "true"
-    labels:
-      kubernetes.io/bootstrapping: rbac-defaults
-    name: system:controller:podcertificaterequestcleaner
-  roleRef:
-    apiGroup: rbac.authorization.k8s.io
-    kind: ClusterRole
-    name: system:controller:podcertificaterequestcleaner
-  subjects:
-  - kind: ServiceAccount
-    name: podcertificaterequestcleaner
-    namespace: kube-system
 - apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRoleBinding
  metadata:
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml
@@ -1037,24 +1037,6 @@ items:
    - pods/status
    verbs:
    - patch
- apiVersion: rbac.authorization.k8s.io/v1
-  kind: ClusterRole
-  metadata:
-    annotations:
-      rbac.authorization.kubernetes.io/autoupdate: "true"
-    labels:
-      kubernetes.io/bootstrapping: rbac-defaults
-    name: system:controller:podcertificaterequestcleaner
-  rules:
-  - apiGroups:
-    - certificates.k8s.io
-    resources:
-    - podcertificaterequests
-    verbs:
-    - delete
-    - get
-    - list
-    - watch
 - apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRole
  metadata: