Rules: []rbacv1.PolicyRule{
				rbacv1helpers.NewRule("approve").Groups(certificatesGroup).Resources("signers").Names(capi.LegacyUnknownSignerName).RuleOrDie(),
			},
		},
		{
			ObjectMeta: metav1.ObjectMeta{Name: "system:certificates.k8s.io:kubelet-serving-approver"},
			Rules: []rbacv1.PolicyRule{

		name string
		// parameters to be set on the generated CSR
		commonName string
		dnsNames   []string
		org        []string
		usages     []capi.KeyUsage
		// whether the generated CSR should be marked as approved
		approved bool
		// whether the generated CSR should be marked as failed
		failed bool
		// the signerName to be set on the generated CSR
		signerName string
		// if true, expect an error to be returned
		err bool

-   If all looks good, the reviewer will approve the PR.
-   If a change is needed, the contributor is requested to make the suggested
    change.
-   You make the change and submit it for the review again.
-   This cycle repeats itself until the PR gets approved.
-   Note: As a friendly reminder, we may reach out to you if the PR is awaiting
    your response for more than 2 weeks.

**4. Approved**

	if oldCSR == nil {
		return false
	}
	approved := false
	denied := false
	for _, c := range oldCSR.Status.Conditions {
		if c.Type == certificates.CertificateApproved {
			approved = true
		} else if c.Type == certificates.CertificateDenied {
			denied = true
		}
	}
	// compatibility with existing data
	return approved && denied
}

	approver := approver.NewCSRApprovingController(
		ctx,
		controllerContext.ClientBuilder.ClientOrDie("certificate-controller"),
		controllerContext.InformerFactory.Certificates().V1().CertificateSigningRequests(),
	)
	go approver.Run(ctx, 5)

	return nil, true, nil
}

					log.Debugf("test signer sign %v: %v", csr.Name, err)
				} else {
					log.Debugf("test signer skip, not approved: %v", csr.Name)
				}
			}
		}
	}()
	return client
}

func approved(csr *cert.CertificateSigningRequest) bool {
	return GetCondition(csr.Status.Conditions, cert.CertificateApproved).Status == corev1.ConditionTrue
}

	// Starting from v1.8, CSRAutoApprovalClusterRoleName is automatically created by the API server on startup
	CSRAutoApprovalClusterRoleName = "system:certificates.k8s.io:certificatesigningrequests:nodeclient"
	// NodeSelfCSRAutoApprovalClusterRoleName is a role defined in default 1.8 RBAC policies for automatic CSR approvals for automatically rotated node certificates

* Then **comment** saying that you did that, that's how I will know you really checked it.

!!! info
    Unfortunately, I can't simply trust PRs that just have several approvals.

    Several times it has happened that there are PRs with 3, 5 or more approvals, probably because the description is appealing, but when I check the PRs, they are actually broken, have a bug, or don't solve the problem they claim to solve. 😅

	// new certificate from the certificates.k8s.io API. This requires an approver to approve the
	// certificate signing requests.
	RotateCertificates bool
	// serverTLSBootstrap enables server certificate bootstrap. Instead of self
	// signing a serving certificate, the Kubelet will request a certificate from
	// the certificates.k8s.io API. This requires an approver to approve the

	}

	// Create/update RBAC rules that makes the bootstrap tokens able to get their CSRs approved automatically
	if err := nodebootstraptoken.AutoApproveNodeBootstrapTokens(client); err != nil {
		errs = append(errs, err)
	}

	// Create/update RBAC rules that makes the nodes to rotate certificates and get their CSRs approved automatically
	if err := nodebootstraptoken.AutoApproveNodeCertificateRotation(client); err != nil {