From 89b5034d5626941e569ee8d840dada4c722c13e2 Mon Sep 17 00:00:00 2001 From: carlory Date: Thu, 7 Aug 2025 11:31:22 +0800 Subject: [PATCH] Make podcertificaterequestcleaner role feature-gated --- .../rbac/bootstrappolicy/controller_policy.go | 14 ++++++++------ .../testdata/controller-role-bindings.yaml | 16 ---------------- .../testdata/controller-roles.yaml | 18 ------------------ 3 files changed, 8 insertions(+), 40 deletions(-) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go index df0573483f5..eecbaf3520d 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go @@ -430,12 +430,14 @@ func buildControllerRoles() ([]rbacv1.ClusterRole, []rbacv1.ClusterRoleBinding) eventsRule(), }, }) - addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{ - ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "podcertificaterequestcleaner"}, - Rules: []rbacv1.PolicyRule{ - rbacv1helpers.NewRule("get", "list", "watch", "delete").Groups(certificatesGroup).Resources("podcertificaterequests").RuleOrDie(), - }, - }) + if utilfeature.DefaultFeatureGate.Enabled(features.PodCertificateRequest) { + addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "podcertificaterequestcleaner"}, + Rules: []rbacv1.PolicyRule{ + rbacv1helpers.NewRule("get", "list", "watch", "delete").Groups(certificatesGroup).Resources("podcertificaterequests").RuleOrDie(), + }, + }) + } addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{ ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "pvc-protection-controller"}, Rules: []rbacv1.PolicyRule{ diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml index 1891b77c15b..2b37923b82e 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml @@ -320,22 +320,6 @@ items: - kind: ServiceAccount name: pod-garbage-collector namespace: kube-system -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:podcertificaterequestcleaner - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:controller:podcertificaterequestcleaner - subjects: - - kind: ServiceAccount - name: podcertificaterequestcleaner - namespace: kube-system - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml index 85237dde1f1..2cf50ff0876 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml @@ -1037,24 +1037,6 @@ items: - pods/status verbs: - patch -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:podcertificaterequestcleaner - rules: - - apiGroups: - - certificates.k8s.io - resources: - - podcertificaterequests - verbs: - - delete - - get - - list - - watch - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: