From 006f34a9e1b75f2c21fea4194cfc62509b1b90a2 Mon Sep 17 00:00:00 2001
From: Mitsuo HEIJO <mitsuo.heijo@gmail.com>
Date: Sun, 12 Oct 2025 11:38:55 +0900
Subject: [PATCH] Restrict create/delete verbs on nodes

Only few cloud providers actually need those verbs.

- create: kwok
- delete: kwok, huaweicloud

So, it would be better to restrict them to only those providers, following the principle of least privilege.

Signed-off-by: Mitsuo HEIJO <mitsuo.heijo@gmail.com>
---
 cluster-autoscaler/charts/cluster-autoscaler/Chart.yaml       | 2 +-
 .../charts/cluster-autoscaler/templates/clusterrole.yaml      | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/cluster-autoscaler/charts/cluster-autoscaler/Chart.yaml b/cluster-autoscaler/charts/cluster-autoscaler/Chart.yaml
index 0ddaa01df96..ba21205cbd5 100644
--- a/cluster-autoscaler/charts/cluster-autoscaler/Chart.yaml
+++ b/cluster-autoscaler/charts/cluster-autoscaler/Chart.yaml
@@ -11,4 +11,4 @@ name: cluster-autoscaler
 sources:
   - https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler
 type: application
-version: 9.52.0
+version: 9.52.1
diff --git a/cluster-autoscaler/charts/cluster-autoscaler/templates/clusterrole.yaml b/cluster-autoscaler/charts/cluster-autoscaler/templates/clusterrole.yaml
index e139db64052..6037ce73539 100644
--- a/cluster-autoscaler/charts/cluster-autoscaler/templates/clusterrole.yaml
+++ b/cluster-autoscaler/charts/cluster-autoscaler/templates/clusterrole.yaml
@@ -53,8 +53,12 @@ rules:
     verbs:
     - watch
     - list
+{{- if (eq .Values.cloudProvider "kwok") }}
     - create
+{{- end }}
+{{- if or (eq .Values.cloudProvider "kwok") (eq .Values.cloudProvider "huaweicloud") }}
     - delete
+{{- end }}
     - get
     - update
   - apiGroups: