Merge pull request #40873 from liggitt/bootstrap-get-node

Automatic merge from submit-queue

Remove 'get node' call during bootstrapping

Kubelet bootstrapping should have minimal permissions until it obtains an approved client certificate.

@luxas PTAL

/cc @mikedanese @cjcullen https://github.com/kubernetes/kubernetes/pull/40760#issuecomment-276832957

plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go

@@ -247,8 +247,6 @@ func ClusterRoles() []rbac.ClusterRole {
 			// a role to use for bootstrapping a node's client certificates
 			ObjectMeta: metav1.ObjectMeta{Name: "system:node-bootstrapper"},
 			Rules: []rbac.PolicyRule{
-				// used to check if the node already exists
-				rbac.NewRule("get").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
 				// used to create a certificatesigningrequest for a node-specific client certificate, and watch for it to be signed
 				rbac.NewRule("create", "get", "list", "watch").Groups(certificatesGroup).Resources("certificatesigningrequests").RuleOrDie(),
 			},

plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml

@@ -586,12 +586,6 @@ items:
       kubernetes.io/bootstrapping: rbac-defaults
     name: system:node-bootstrapper
   rules:
-  - apiGroups:
-    - ""
-    resources:
-    - nodes
-    verbs:
-    - get
   - apiGroups:
     - certificates.k8s.io
     resources: