openshift
diff --git a/‎install/0000_80_machine-config_00_rbac.yaml‎
Lines changed: 32 additions & 0 deletions b/‎install/0000_80_machine-config_00_rbac.yaml‎
Lines changed: 32 additions & 0 deletions
diff --git a/‎manifests/machineconfigcontroller/clusterrole.yaml‎
Lines changed: 2 additions & 2 deletions b/‎manifests/machineconfigcontroller/clusterrole.yaml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎pkg/apihelpers/apihelpers.go‎
Lines changed: 26 additions & 0 deletions b/‎pkg/apihelpers/apihelpers.go‎
Lines changed: 26 additions & 0 deletions
@@ -144,6 +144,38 @@ subjects:
 roleRef:
   kind: Role
   name: host-networking-services
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: node-credential-providers
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+rules:
+  - apiGroups: [""]
+    resources: ["serviceaccounts"]
+    verbs: ["get", "list"]
+  - apiGroups: [""]
+    resources: ["*"]
+    verbs: ["request-serviceaccounts-token-audience"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: node-credential-providers-binding
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: node-credential-providers
+subjects:
+  - kind: Group
+    apiGroup: rbac.authorization.k8s.io
+    name: system:nodes
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 
@@ -13,10 +13,10 @@ rules:
   resources: ["configmaps", "secrets"]
   verbs: ["*"]
 - apiGroups: ["config.openshift.io"]
-  resources: ["images", "clusterversions", "featuregates", "nodes", "nodes/status", "imagepolicies/status"]
+  resources: ["images", "clusterversions", "featuregates", "nodes", "nodes/status", "imagepolicies/status", "criocredentialproviderconfigs/status"]
   verbs: ["*"]
 - apiGroups: ["config.openshift.io"]
-  resources: ["schedulers", "apiservers", "infrastructures", "imagedigestmirrorsets", "imagetagmirrorsets", "clusterimagepolicies", "imagepolicies"]
+  resources: ["schedulers", "apiservers", "infrastructures", "imagedigestmirrorsets", "imagetagmirrorsets", "clusterimagepolicies", "imagepolicies", "criocredentialproviderconfigs"]
   verbs: ["get", "list", "watch"]
 - apiGroups: ["operator.openshift.io"]
   resources: ["imagecontentsourcepolicies"]
 
@@ -108,6 +108,32 @@ var (
 					},
 				},
 			},
+			// Add default policy for KubernetesCredentialProvidersDir
+			{
+				Path: constants.KubernetesCredentialProvidersDir,
+				Actions: []opv1.NodeDisruptionPolicyStatusAction{
+					{
+						Type: opv1.RestartStatusAction,
+						Restart: &opv1.RestartService{
+							ServiceName: "kubelet.service",
+						},
+					},
+				},
+			},
+			{
+				Path: constants.KubeletCrioImageCredProviderConfPath,
+				Actions: []opv1.NodeDisruptionPolicyStatusAction{
+					{
+						Type: opv1.DaemonReloadStatusAction,
+					},
+					{
+						Type: opv1.RestartStatusAction,
+						Restart: &opv1.RestartService{
+							ServiceName: "kubelet.service",
+						},
+					},
+				},
+			},
 		},
 		SSHKey: opv1.NodeDisruptionPolicyStatusSSHKey{
 			Actions: []opv1.NodeDisruptionPolicyStatusAction{