apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: "2026-04-28T13:21:47Z"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: system:controller:certificate-controller
  resourceVersion: "135"
  uid: 09d6bfd7-c56b-4f0c-9b6b-6d4502bf16c1
rules:
- apiGroups:
  - certificates.k8s.io
  resources:
  - certificatesigningrequests
  verbs:
  - delete
  - get
  - list
  - watch
- apiGroups:
  - certificates.k8s.io
  resources:
  - certificatesigningrequests/approval
  - certificatesigningrequests/status
  verbs:
  - update
- apiGroups:
  - certificates.k8s.io
  resourceNames:
  - kubernetes.io/kube-apiserver-client-kubelet
  resources:
  - signers
  verbs:
  - approve
- apiGroups:
  - certificates.k8s.io
  resourceNames:
  - kubernetes.io/kube-apiserver-client
  - kubernetes.io/kube-apiserver-client-kubelet
  - kubernetes.io/kubelet-serving
  - kubernetes.io/legacy-unknown
  resources:
  - signers
  verbs:
  - sign
- apiGroups:
  - authorization.k8s.io
  resources:
  - subjectaccessreviews
  verbs:
  - create
- apiGroups:
  - ""
  - events.k8s.io
  resources:
  - events
  verbs:
  - create
  - patch
  - update