karmada-io
diff --git a/‎artifacts/deploy/bootstrap-token-configuration.yaml
+60-256 b/‎artifacts/deploy/bootstrap-token-configuration.yaml
+60-256
@@ -13,6 +13,7 @@ data:
     kind: Config
 
 ---
+# Define a role with permission to get the cluster-info configmap
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -31,6 +32,8 @@ rules:
   - get
 
 ---
+# An anonymous user can get `cluster-info` configmap, which is used to obtain the control plane API server's server
+# address and `certificate-authority-data` during the `karmadactl register` process.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
@@ -48,6 +51,8 @@ subjects:
   name: system:anonymous
 
 ---
+# Group `system:bootstrappers:karmada:default-cluster-token` is the user group of the bootstrap token
+# used by `karmadactl register` when registering a new pull mode cluster.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -64,6 +69,26 @@ subjects:
   name: system:bootstrappers:karmada:default-cluster-token
 
 ---
+# Define a ClusterRole with permissions to automatically approve the agent CSRs when the agentcsrapproving controller is enabled by karmada-controller-manager.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    karmada.io/bootstrapping: rbac-defaults
+  name: system:karmada:certificatesigningrequest:autoapprover
+rules:
+  - apiGroups:
+      - certificates.k8s.io
+    resources:
+      - certificatesigningrequests/clusteragent
+    verbs:
+      - create
+
+---
+# Group `system:bootstrappers:karmada:default-cluster-token` is the user group of the bootstrap token
+# used by `karmadactl register` when registering a new pull mode cluster.
+# When the `agentcsrapproving` controller is enabled by the karmada-controller-manager,
+# it can automatically approve the agent CSRs requested by the user group system:bootstrappers:karmada:default-cluster-token.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -73,13 +98,33 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: system:certificates.k8s.io:certificatesigningrequests:nodeclient
+  name: system:karmada:certificatesigningrequest:autoapprover
 subjects:
 - apiGroup: rbac.authorization.k8s.io
   kind: Group
   name: system:bootstrappers:karmada:default-cluster-token
 
 ---
+# Define a ClusterRole with permissions to automatically approve the agent CSRs
+# where the user name and group of requester match those in the CSRs when the agentcsrapproving controller is enabled by karmada-controller-manager.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    karmada.io/bootstrapping: rbac-defaults
+  name: system:karmada:certificatesigningrequest:selfautoapprover
+rules:
+  - apiGroups:
+      - certificates.k8s.io
+    resources:
+      - certificatesigningrequests/selfclusteragent
+    verbs:
+      - create
+
+---
+# Group `system:karmada:agents` is the user group used by the karmada-agent to access the Karmada API server.
+# When the agentcsrapproving controller is enabled by the karmada-controller-manager, it can automatically approve
+# the agent CSRs(csr.Subject.CommonName = agent username) requested by the user group system:karmada:agents.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -89,280 +134,39 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: system:certificates.k8s.io:certificatesigningrequests:selfnodeclient
+  name: system:karmada:certificatesigningrequest:selfautoapprover
 subjects:
 - apiGroup: rbac.authorization.k8s.io
   kind: Group
-  name: system:nodes
+  name: system:karmada:agents
 
 ---
+# ClusterRole `system:karmada:agent-rbac-generator` is not used for the connection between the karmada-agent and the control plane,
+# but is used by karmadactl register to generate the RBAC resources required by the karmada-agent.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
     karmada.io/bootstrapping: rbac-defaults
-  name: system:karmada:agent
+  name: system:karmada:agent-rbac-generator
 rules:
-- apiGroups:
-  - cluster.karmada.io
-  resources:
-  - clusters
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-  - delete
-- apiGroups:
-  - cluster.karmada.io
-  resources:
-  - clusters/status
-  verbs:
-  - update
-- apiGroups:
-  - work.karmada.io
-  resources:
-  - works
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-  - update
-  - delete
-- apiGroups:
-  - work.karmada.io
-  resources:
-  - works/status
-  verbs:
-  - patch
-  - update
-- apiGroups:
-  - config.karmada.io
-  resources:
-  - resourceinterpreterwebhookconfigurations
-  - resourceinterpretercustomizations
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - namespaces
-  verbs:
-  - get
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - create
-  - patch
-- apiGroups:
-  - coordination.k8s.io
-  resources:
-  - leases
-  verbs:
-  - create
-  - get
-  - update
-- apiGroups:
-  - certificates.k8s.io
-  resources:
-  - certificatesigningrequests
-  verbs:
-  - create
-  - get
-- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - create
-  - patch
-  - update
+  - apiGroups: ['*']
+    resources: ['*']
+    verbs: ['*']
 
 ---
+# User `system:karmada:agent:rbac-generator` is specifically used during the `karmadactl register` process to generate restricted RBAC resources for the `karmada-agent`.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
     karmada.io/bootstrapping: rbac-defaults
-  name: system:karmada:agent
+  name: system:karmada:agent-rbac-generator
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: system:karmada:agent
+  name: system:karmada:agent-rbac-generator
 subjects:
-- apiGroup: rbac.authorization.k8s.io
-  kind: Group
-  name: system:nodes
-
-# To ensure the agent has the minimal RBAC permissions, the ideal approach is to
-# use different RBAC configurations for different agents of member clusters with pull mode.
-# Below is the minimal set of RBAC permissions required for a single pull mode member cluster.
-# Here are the definitions of the variables used:
-#
-# - clustername: the name of the member cluster.
-# - cluster_namespace: the namespace where the member cluster secrets are stored, default to karmada-cluster.
-#
-# ---
-# apiVersion: rbac.authorization.k8s.io/v1
-# kind: ClusterRole
-# metadata:
-#   name: system:karmada:agent
-# rules:
-# - apiGroups:
-#   - cluster.karmada.io
-#   resources:
-#   - clusters
-#   resourceNames:
-#   - {{clustername}}
-#   verbs:
-#   - create
-#   - get
-#   - delete
-# - apiGroups:
-#   - cluster.karmada.io
-#   resources:
-#   - clusters
-#   verbs:
-#   - list
-#   - watch
-# - apiGroups:
-#   - cluster.karmada.io
-#   resources:
-#   - clusters/status
-#   resourceNames:
-#   - {{clustername}}
-#   verbs:
-#   - update
-# - apiGroups:
-#   - config.karmada.io
-#   resources:
-#   - resourceinterpreterwebhookconfigurations
-#   - resourceinterpretercustomizations
-#   verbs:
-#   - get
-#   - list
-#   - watch
-# - apiGroups:
-#   - ""
-#   resources:
-#   - namespaces
-#   verbs:
-#   - get
-# - apiGroups:
-#   - coordination.k8s.io
-#   resources:
-#   - leases
-#   verbs:
-#   - create
-#   - get
-#   - update
-# - apiGroups:
-#   - certificates.k8s.io
-#   resources:
-#   - certificatesigningrequests
-#   verbs:
-#   - create
-#   - get
-# - apiGroups:
-#   - ""
-#   resources:
-#   - events
-#   verbs:
-#   - create
-#   - patch
-#   - update
-#
-# ---
-# apiVersion: rbac.authorization.k8s.io/v1
-# kind: ClusterRoleBinding
-# metadata:
-#   name: system:karmada:agent
-# roleRef:
-#   apiGroup: rbac.authorization.k8s.io
-#   kind: ClusterRole
-#   name: system:karmada:agent
-# subjects:
-# - apiGroup: rbac.authorization.k8s.io
-#   kind: Group
-#   name: system:nodes
-#
-# ---
-# apiVersion: rbac.authorization.k8s.io/v1
-# kind: Role
-# metadata:
-#   name: system:karmada:agent-secret
-#   namespace: "{{cluster_namespace}}"
-# rules:
-# - apiGroups:
-#   - ""
-#   resources:
-#   - secrets
-#   resourceNames:
-#   - {{clustername}}-impersonator
-#   - {{clustername}}
-#   verbs:
-#   - get
-#   - create
-#   - patch
-#
-# ---
-# apiVersion: rbac.authorization.k8s.io/v1
-# kind: RoleBinding
-# metadata:
-#   name: system:karmada:agent-secret
-#   namespace: "{{cluster_namespace}}"
-# roleRef:
-#   apiGroup: rbac.authorization.k8s.io
-#   kind: Role
-#   name: system:karmada:agent-secret
-# subjects:
-# - apiGroup: rbac.authorization.k8s.io
-#   kind: Group
-#   name: system:nodes
-#
-# ---
-# apiVersion: rbac.authorization.k8s.io/v1
-# kind: Role
-# metadata:
-#   name: system:karmada:agent-work
-#   namespace: "karmada-es-{{clustername}}"
-# rules:
-# - apiGroups:
-#   - work.karmada.io
-#   resources:
-#   - works
-#   verbs:
-#   - create
-#   - get
-#   - list
-#   - watch
-#   - update
-#   - delete
-# - apiGroups:
-#   - work.karmada.io
-#   resources:
-#   - works/status
-#   verbs:
-#   - patch
-#   - update
-#
-# ---
-# apiVersion: rbac.authorization.k8s.io/v1
-# kind: RoleBinding
-# metadata:
-#   name: system:karmada:agent-work
-#   namespace: "karmada-es-{{clustername}}"
-# roleRef:
-#   apiGroup: rbac.authorization.k8s.io
-#   kind: Role
-#   name: system:karmada:agent-work
-# subjects:
-# - apiGroup: rbac.authorization.k8s.io
-#   kind: Group
-#   name: system:nodes
+  - apiGroup: rbac.authorization.k8s.io
+    kind: User
+    name: system:karmada:agent:rbac-generator