From 2ded4b55b77c7640f2ece3e1ab33f69c73fb2bad Mon Sep 17 00:00:00 2001
From: Nick Turner <nic@amazon.com>
Date: Mon, 10 May 2021 10:12:45 -0700
Subject: [PATCH] Add permission for service account token creation.

- This is required for each controller to get its own service account
  identity and RBAC permissions, which helps with least privilege and
  improves audit logs.  Enable with the flag
  `--use-service-account-credentials=true`
- Bump chart version
- Bump container version.
---
 charts/aws-cloud-controller-manager/Chart.yaml  | 4 ++--
 charts/aws-cloud-controller-manager/values.yaml | 8 +++++++-
 docs/README.md                                  | 1 +
 manifests/rbac.yaml                             | 6 ++++++
 4 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/charts/aws-cloud-controller-manager/Chart.yaml b/charts/aws-cloud-controller-manager/Chart.yaml
index c7abb680b2..64e06861c0 100644
--- a/charts/aws-cloud-controller-manager/Chart.yaml
+++ b/charts/aws-cloud-controller-manager/Chart.yaml
@@ -2,8 +2,8 @@
 apiVersion: v1
 name: aws-cloud-controller-manager
 description: Installs Cloud Controller Manager for AWS Cloud Provider
-version: 0.0.2
-appVersion: v1.20.0-alpha.0
+version: 0.0.3
+appVersion: v1.21.0-alpha.0
 maintainers:
 - name: Jeswin K Ninan
   email: jeswinjkn@gmail.com
diff --git a/charts/aws-cloud-controller-manager/values.yaml b/charts/aws-cloud-controller-manager/values.yaml
index 480d1f21cc..5315ca0550 100644
--- a/charts/aws-cloud-controller-manager/values.yaml
+++ b/charts/aws-cloud-controller-manager/values.yaml
@@ -5,7 +5,7 @@ extraArgs: {}
 
 image:
     repository: gcr.io/k8s-staging-provider-aws/cloud-controller-manager
-    tag:  v1.20.0-alpha.0
+    tag:  v1.21.0-alpha.0
 
 # nameOverride -- String to partially override `aws-cloud-controller-manager.fullname`
 nameOverride: "aws-cloud-controller-manager"
@@ -89,6 +89,12 @@ clusterRoleRules:
   - list
   - watch
   - update
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts/token
+  verbs:
+  - create
 
 # resources -- Pod resource requests and limits.
 resources:
diff --git a/docs/README.md b/docs/README.md
index f0e2370244..bc23182c4b 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -47,6 +47,7 @@ The AWS cloud provider is released with a specific semantic version that correla
 
 | Kubernetes Version          | Latest AWS Cloud Provider Release Version     |
 |-----------------------------|-----------------------------------------------|
+| v1.21                       | v1.21.0-alpha.0                               |
 | v1.20                       | v1.20.0-alpha.0                               |
 | v1.19                       | v1.19.0-alpha.1                               |
 | v1.18                       | v1.18.0-alpha.1                               |
diff --git a/manifests/rbac.yaml b/manifests/rbac.yaml
index 6de798defc..adcdb80b5c 100644
--- a/manifests/rbac.yaml
+++ b/manifests/rbac.yaml
@@ -98,6 +98,12 @@ rules:
   - list
   - watch
   - update
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts/token
+  verbs:
+  - create
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1