Include "ingresses" in RBAC bootstrap roles

The bootstrap RBAC roles "admin", "edit", and "view" should all be able to apply their respective access verbs to the "ingresses" resource in order to facilitate both publishing Ingress resources (for service administrators) and consuming them (for ingress controllers).
2025-08-01 07:47:56 +00:00 · 2017-01-17 14:44:56 -05:00 · 2017-01-17 14:44:56 -05:00 · 0016f7f2fc
commit 0016f7f2fc
parent 6cd0592a46
2 changed files with 9 additions and 6 deletions
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
@ -114,8 +114,8 @@ func ClusterRoles() []rbac.ClusterRole {

 				rbac.NewRule(ReadWrite...).Groups(batchGroup).Resources("jobs", "cronjobs", "scheduledjobs").RuleOrDie(),

-				rbac.NewRule(ReadWrite...).Groups(extensionsGroup).Resources("daemonsets", "horizontalpodautoscalers",
-					"replicationcontrollers/scale", "replicasets", "replicasets/scale", "deployments", "deployments/scale").RuleOrDie(),
+				rbac.NewRule(ReadWrite...).Groups(extensionsGroup).Resources("daemonsets", "deployments", "deployments/scale",
+					"horizontalpodautoscalers", "ingresses", "replicasets", "replicasets/scale", "replicationcontrollers/scale").RuleOrDie(),

 				// additional admin powers
 				rbac.NewRule("create").Groups(authorizationGroup).Resources("localsubjectaccessreviews").RuleOrDie(),
@ -144,8 +144,8 @@ func ClusterRoles() []rbac.ClusterRole {

 				rbac.NewRule(ReadWrite...).Groups(batchGroup).Resources("jobs", "cronjobs", "scheduledjobs").RuleOrDie(),

-				rbac.NewRule(ReadWrite...).Groups(extensionsGroup).Resources("daemonsets", "horizontalpodautoscalers",
-					"replicationcontrollers/scale", "replicasets", "replicasets/scale", "deployments", "deployments/scale").RuleOrDie(),
+				rbac.NewRule(ReadWrite...).Groups(extensionsGroup).Resources("daemonsets", "deployments", "deployments/scale",
+					"horizontalpodautoscalers", "ingresses", "replicasets", "replicasets/scale", "replicationcontrollers/scale").RuleOrDie(),
 			},
 		},
 		{
@ -167,8 +167,8 @@ func ClusterRoles() []rbac.ClusterRole {

 				rbac.NewRule(Read...).Groups(batchGroup).Resources("jobs", "cronjobs", "scheduledjobs").RuleOrDie(),

-				rbac.NewRule(Read...).Groups(extensionsGroup).Resources("daemonsets", "horizontalpodautoscalers",
-					"replicationcontrollers/scale", "replicasets", "replicasets/scale", "deployments", "deployments/scale").RuleOrDie(),
+				rbac.NewRule(Read...).Groups(extensionsGroup).Resources("daemonsets", "deployments", "deployments/scale",
+					"horizontalpodautoscalers", "ingresses", "replicasets", "replicasets/scale", "replicationcontrollers/scale").RuleOrDie(),
 			},
 		},
 		{
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
@ -133,6 +133,7 @@ items:
    - deployments
    - deployments/scale
    - horizontalpodautoscalers
+    - ingresses
    - replicasets
    - replicasets/scale
    - replicationcontrollers/scale
@ -320,6 +321,7 @@ items:
    - deployments
    - deployments/scale
    - horizontalpodautoscalers
+    - ingresses
    - replicasets
    - replicasets/scale
    - replicationcontrollers/scale
@ -717,6 +719,7 @@ items:
    - deployments
    - deployments/scale
    - horizontalpodautoscalers
+    - ingresses
    - replicasets
    - replicasets/scale
    - replicationcontrollers/scale