From 74c299bf2c4e077867b2965c77a4484f6362768c Mon Sep 17 00:00:00 2001
From: Starbuck <lassi@heisl.org>
Date: Tue, 10 Nov 2020 13:47:13 +0100
Subject: [PATCH] Restore kube-controller-manager
 --use-service-account-credentials

* kube-controller-manager Pods can start control loops with credentials
that have been granted relevant controller manager roles or using
generated service accounts bound to each role
* During the migration of the control plane from self-hosted to static
pods (https://github.com/poseidon/terraform-render-bootstrap/pull/148)
the flag for using separate service accounts was inadvertently dropped
* Restore the --use-service-account-credentials flag used before v1.16

Related:

* https://kubernetes.io/docs/reference/access-authn-authz/rbac/#controller-roles
* https://github.com/poseidon/terraform-render-bootstrap/pull/225
---
 resources/static-manifests/kube-controller-manager.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/resources/static-manifests/kube-controller-manager.yaml b/resources/static-manifests/kube-controller-manager.yaml
index ac4cb19..47acf64 100644
--- a/resources/static-manifests/kube-controller-manager.yaml
+++ b/resources/static-manifests/kube-controller-manager.yaml
@@ -33,6 +33,7 @@ spec:
     - --root-ca-file=/etc/kubernetes/secrets/ca.crt
     - --service-account-private-key-file=/etc/kubernetes/secrets/service-account.key
     - --service-cluster-ip-range=${service_cidr}
+    - --use-service-account-credentials=true
     livenessProbe:
       httpGet:
         scheme: HTTPS