NEW: Get project updates onTwitterandMastodon

Release 1.21

cert-manager v1.21 includes:

  • Removal of the default tokenrequest RBAC from the Helm chart (breaking change)

Major Themes

Default tokenrequest RBAC removed from Helm chart

⚠️ Breaking change

The Helm chart no longer creates a default Role and RoleBinding granting the cert-manager controller permission to create tokens for its own ServiceAccount (serviceaccounts/token: create).

This RBAC was added in v1.16 (cert-manager/cert-manager#7213) to support a "Using the cert-manager ServiceAccount" section in the Route53 documentation. That docs section was subsequently removed (cert-manager/website#1555) when the Route53 page was restructured, and no documented workflow — Route53 IRSA ambient, Vault Kubernetes auth, or any other issuer — requires the controller to mint tokens for its own ServiceAccount.

If you use serviceAccountRef.name pointing at the controller ServiceAccount, you must now either:

  • create your own Role and RoleBinding granting serviceaccounts/token: create on that ServiceAccount, or
  • migrate to a dedicated ServiceAccount with its own RBAC (recommended — see the Vault or Route53 documentation).

Credit to @everping and @kodareef5 for independently identifying (via privately reported security advisories) that this default RBAC widened the trust boundary beyond what cert-manager's published threat model documents.

Community

As always, we'd like to thank all of the community members who helped in this release cycle, including all below who merged a PR and anyone that helped by commenting on issues, testing, or getting involved in cert-manager meetings. We're lucky to have you involved.

A special thanks to:

  • TODO

for their contributions, comments and support!

Also, thanks to the cert-manager maintainer team for their help in this release:

And finally, thanks to the cert-manager steering committee for their feedback in this release cycle:

v1.21.0

Feature

TODO

Documentation

TODO

Bug or Regression

TODO

Other (Cleanup or Flake)

  • Removed the default tokenrequest Role and RoleBinding from the Helm chart that granted the controller ServiceAccount permission to mint tokens for itself. No documented workflow requires this RBAC. Users who relied on the undocumented pattern of pointing serviceAccountRef.name at the controller ServiceAccount must create their own Role and RoleBinding, or migrate to a dedicated ServiceAccount. See the upgrading notes for details. (cert-manager/cert-manager#8931, @wallrj-cyberark)