From 41975226d6ee813696f91a0d9d51128632622090 Mon Sep 17 00:00:00 2001
From: liuwei <liuweixa@redhat.com>
Date: Mon, 20 Jul 2020 09:39:11 +0800
Subject: [PATCH] fix issue 3589

---
 deploy/hub/hub_controller_clusterrole.yaml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/deploy/hub/hub_controller_clusterrole.yaml b/deploy/hub/hub_controller_clusterrole.yaml
index d7279ab3c..ef6d75aa9 100644
--- a/deploy/hub/hub_controller_clusterrole.yaml
+++ b/deploy/hub/hub_controller_clusterrole.yaml
@@ -38,3 +38,8 @@ rules:
 - apiGroups: ["register.open-cluster-management.io"]
   resources: ["managedclusters/accept"]
   verbs: ["update"]
+# Allow hub to approve certificates that are signed by kubernetes.io/kube-apiserver-client (kube1.18.3+ needs)
+- apiGroups: ["certificates.k8s.io"]
+  resources: ["signers"]
+  resourceNames: ["kubernetes.io/kube-apiserver-client"]
+  verbs: ["approve"]