apiVersion: v1
kind: ConfigMap
metadata:
  name: cluster-info
  namespace: kube-public
data:
  kubeconfig: |
    apiVersion: v1
    clusters:
    - cluster:
        certificate-authority-data: {{ca_crt}}
        server: {{apiserver_address}}
    kind: Config

---
# Define a role with permission to get the cluster-info configmap
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  labels:
    karmada.io/bootstrapping: rbac-defaults
  name: system:karmada:bootstrap-signer-clusterinfo
  namespace: kube-public
rules:
- apiGroups:
  - ""
  resourceNames:
  - cluster-info
  resources:
  - configmaps
  verbs:
  - get

---
# An anonymous user can get `cluster-info` configmap, which is used to obtain the control plane API server's server
# address and `certificate-authority-data` during the `karmadactl register` process.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    karmada.io/bootstrapping: rbac-defaults
  name: system:karmada:bootstrap-signer-clusterinfo
  namespace: kube-public
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: system:karmada:bootstrap-signer-clusterinfo
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: system:anonymous

---
# Group `system:bootstrappers:karmada:default-cluster-token` is the user group of the bootstrap token
# used by `karmadactl register` when registering a new pull mode cluster.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    karmada.io/bootstrapping: rbac-defaults
  name: system:karmada:agent-bootstrap
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:node-bootstrapper
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:bootstrappers:karmada:default-cluster-token

---
# Define a ClusterRole with permissions to automatically approve the agent CSRs when the agentcsrapproving controller is enabled by karmada-controller-manager.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    karmada.io/bootstrapping: rbac-defaults
  name: system:karmada:certificatesigningrequest:autoapprover
rules:
  - apiGroups:
      - certificates.k8s.io
    resources:
      - certificatesigningrequests/clusteragent
    verbs:
      - create

---
# Group `system:bootstrappers:karmada:default-cluster-token` is the user group of the bootstrap token
# used by `karmadactl register` when registering a new pull mode cluster.
# When the `agentcsrapproving` controller is enabled by the karmada-controller-manager,
# it can automatically approve the agent CSRs requested by the user group system:bootstrappers:karmada:default-cluster-token.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    karmada.io/bootstrapping: rbac-defaults
  name: system:karmada:agent-autoapprove-bootstrap
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:karmada:certificatesigningrequest:autoapprover
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:bootstrappers:karmada:default-cluster-token

---
# Define a ClusterRole with permissions to automatically approve the agent CSRs
# where the user name and group of requester match those in the CSRs when the agentcsrapproving controller is enabled by karmada-controller-manager.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    karmada.io/bootstrapping: rbac-defaults
  name: system:karmada:certificatesigningrequest:selfautoapprover
rules:
  - apiGroups:
      - certificates.k8s.io
    resources:
      - certificatesigningrequests/selfclusteragent
    verbs:
      - create

---
# Group `system:karmada:agents` is the user group used by the karmada-agent to access the Karmada API server.
# When the agentcsrapproving controller is enabled by the karmada-controller-manager, it can automatically approve
# the agent CSRs(csr.Subject.CommonName = agent username) requested by the user group system:karmada:agents.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    karmada.io/bootstrapping: rbac-defaults
  name: system:karmada:agent-autoapprove-certificate-rotation
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:karmada:certificatesigningrequest:selfautoapprover
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:karmada:agents

---
# ClusterRole `system:karmada:agent-rbac-generator` is not used for the connection between the karmada-agent and the control plane,
# but is used by karmadactl register to generate the RBAC resources required by the karmada-agent.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    karmada.io/bootstrapping: rbac-defaults
  name: system:karmada:agent-rbac-generator
rules:
  - apiGroups: ['*']
    resources: ['*']
    verbs: ['*']

---
# User `system:karmada:agent:rbac-generator` is specifically used during the `karmadactl register` process to generate restricted RBAC resources for the `karmada-agent`.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    karmada.io/bootstrapping: rbac-defaults
  name: system:karmada:agent-rbac-generator
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:karmada:agent-rbac-generator
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: system:karmada:agent:rbac-generator