kubernetes/cluster/addons/rbac/kubelet-cert-rotation/kubelet-certificate-management.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: gce:beta:kubelet-certificate-bootstrap
  labels:
    addonmanager.kubernetes.io/mode: Reconcile
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: gce:beta:kubelet-certificate-bootstrap
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: kubelet
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: gce:beta:kubelet-certificate-rotation
  labels:
    addonmanager.kubernetes.io/mode: Reconcile
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: gce:beta:kubelet-certificate-rotation
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:nodes
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: gce:beta:kubelet-certificate-bootstrap
  labels:
    addonmanager.kubernetes.io/mode: Reconcile
rules:
- apiGroups:
  - "certificates.k8s.io"
  resources:
  - certificatesigningrequests/nodeclient
  verbs:
  - "create"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: gce:beta:kubelet-certificate-rotation
  labels:
    addonmanager.kubernetes.io/mode: Reconcile
rules:
- apiGroups:
  - "certificates.k8s.io"
  resources:
  - certificatesigningrequests/selfnodeclient
  - certificatesigningrequests/selfnodeserver
  verbs:
  - "create"