diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go index 1460676cbe7..34a362a2f8e 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go @@ -139,6 +139,10 @@ func viewRules() []rbacv1.PolicyRule { rbacv1helpers.NewRule(Read...).Groups(networkingGroup).Resources("networkpolicies", "ingresses", "ingresses/status").RuleOrDie(), } + + if utilfeature.DefaultFeatureGate.Enabled(features.DynamicResourceAllocation) { + rules = append(rules, rbacv1helpers.NewRule(Read...).Groups(resourceGroup).Resources("resourceclaims", "resourceclaims/status", "resourceclaimtemplates").RuleOrDie()) + } return rules } @@ -175,6 +179,9 @@ func editRules() []rbacv1.PolicyRule { rbacv1helpers.NewRule(ReadWrite...).Groups(coordinationGroup).Resources("leases").RuleOrDie(), } + if utilfeature.DefaultFeatureGate.Enabled(features.DynamicResourceAllocation) { + rules = append(rules, rbacv1helpers.NewRule(Write...).Groups(resourceGroup).Resources("resourceclaims", "resourceclaimtemplates").RuleOrDie()) + } return rules } diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy_test.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy_test.go index 611afa886b6..e566194cfdf 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy_test.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy_test.go @@ -21,6 +21,7 @@ import ( "path/filepath" "reflect" "slices" + "strings" "testing" "github.com/google/go-cmp/cmp" @@ -31,6 +32,8 @@ import ( "k8s.io/apimachinery/pkg/api/meta" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/util/sets" + "k8s.io/apiserver/pkg/util/feature" + featuregatetesting "k8s.io/component-base/featuregate/testing" "k8s.io/component-helpers/auth/rbac/validation" "k8s.io/kubernetes/pkg/api/legacyscheme" api "k8s.io/kubernetes/pkg/apis/core" @@ -175,6 +178,154 @@ func TestBootstrapClusterRoles(t *testing.T) { testObjects(t, list, "cluster-roles.yaml") } +func TestBootstrapClusterRolesWithFeatureGateEnabled(t *testing.T) { + expectedDiff := map[string]string{ + "system:monitoring": ` &v1.ClusterRole{ + TypeMeta: {}, + ObjectMeta: {Name: "system:monitoring", Labels: {"kubernetes.io/bootstrapping": "rbac-defaults"}, Annotations: {"rbac.authorization.kubernetes.io/autoupdate": "true"}}, + Rules: []v1.PolicyRule{ + {Verbs: {"get"}, NonResourceURLs: {"/healthz", "/healthz/*", "/livez", "/livez/*", ...}}, + + {Verbs: []string{"get"}, NonResourceURLs: []string{"/flagz"}}, + + {Verbs: []string{"get"}, NonResourceURLs: []string{"/statusz"}}, + }, + AggregationRule: nil, +}`, + "system:aggregate-to-view": ` &v1.ClusterRole{ + TypeMeta: {}, + ObjectMeta: {Name: "system:aggregate-to-view", Labels: {"kubernetes.io/bootstrapping": "rbac-defaults", "rbac.authorization.k8s.io/aggregate-to-view": "true"}, Annotations: {"rbac.authorization.kubernetes.io/autoupdate": "true"}}, + Rules: []v1.PolicyRule{ + ... // 8 identical elements + {Verbs: {"get", "list", "watch"}, APIGroups: {"policy"}, Resources: {"poddisruptionbudgets", "poddisruptionbudgets/status"}}, + {Verbs: {"get", "list", "watch"}, APIGroups: {"networking.k8s.io"}, Resources: {"ingresses", "ingresses/status", "networkpolicies"}}, + + { + + Verbs: []string{"get", "list", "watch"}, + + APIGroups: []string{"resource.k8s.io"}, + + Resources: []string{"resourceclaims", "resourceclaims/status", "resourceclaimtemplates"}, + + }, + }, + AggregationRule: nil, + } + `, + "system:aggregate-to-edit": `&v1.ClusterRole{ + TypeMeta: {}, + ObjectMeta: {Name: "system:aggregate-to-edit", Labels: {"kubernetes.io/bootstrapping": "rbac-defaults", "rbac.authorization.k8s.io/aggregate-to-edit": "true"}, Annotations: {"rbac.authorization.kubernetes.io/autoupdate": "true"}}, + Rules: []v1.PolicyRule{ + ... // 11 identical elements + {Verbs: {"create", "delete", "deletecollection", "patch", ...}, APIGroups: {"networking.k8s.io"}, Resources: {"ingresses", "networkpolicies"}}, + {Verbs: {"create", "delete", "deletecollection", "get", ...}, APIGroups: {"coordination.k8s.io"}, Resources: {"leases"}}, + + { + + Verbs: []string{"create", "delete", "deletecollection", "patch", "update"}, + + APIGroups: []string{"resource.k8s.io"}, + + Resources: []string{"resourceclaims", "resourceclaimtemplates"}, + + }, + }, + AggregationRule: nil, + } + `, + "system:node": ` &v1.ClusterRole{ + TypeMeta: {}, + ObjectMeta: {Name: "system:node", Labels: {"kubernetes.io/bootstrapping": "rbac-defaults"}, Annotations: {"rbac.authorization.kubernetes.io/autoupdate": "true"}}, + Rules: []v1.PolicyRule{ + ... // 20 identical elements + {Verbs: {"create", "delete", "get", "patch", ...}, APIGroups: {"storage.k8s.io"}, Resources: {"csinodes"}}, + {Verbs: {"get", "list", "watch"}, APIGroups: {"node.k8s.io"}, Resources: {"runtimeclasses"}}, + + { + + Verbs: []string{"get"}, + + APIGroups: []string{"resource.k8s.io"}, + + Resources: []string{"resourceclaims"}, + + }, + + { + + Verbs: []string{"deletecollection"}, + + APIGroups: []string{"resource.k8s.io"}, + + Resources: []string{"resourceslices"}, + + }, + + { + + Verbs: []string{"get", "list", "watch"}, + + APIGroups: []string{"certificates.k8s.io"}, + + Resources: []string{"clustertrustbundles"}, + + }, + }, + AggregationRule: nil, + } + `, + "system:kube-scheduler": ` &v1.ClusterRole{ + TypeMeta: {}, + ObjectMeta: {Name: "system:kube-scheduler", Labels: {"kubernetes.io/bootstrapping": "rbac-defaults"}, Annotations: {"rbac.authorization.kubernetes.io/autoupdate": "true"}}, + Rules: []v1.PolicyRule{ + ... // 18 identical elements + {Verbs: {"get", "list", "watch"}, APIGroups: {"storage.k8s.io"}, Resources: {"csidrivers"}}, + {Verbs: {"get", "list", "watch"}, APIGroups: {"storage.k8s.io"}, Resources: {"csistoragecapacities"}}, + + { + + Verbs: []string{"get", "list", "watch"}, + + APIGroups: []string{"resource.k8s.io"}, + + Resources: []string{"deviceclasses"}, + + }, + + { + + Verbs: []string{"get", "list", "patch", "update", "watch"}, + + APIGroups: []string{"resource.k8s.io"}, + + Resources: []string{"resourceclaims"}, + + }, + + { + + Verbs: []string{"get", "list", "patch", "update", "watch"}, + + APIGroups: []string{"resource.k8s.io"}, + + Resources: []string{"resourceclaims/status"}, + + }, + + { + + Verbs: []string{"get", "list", "patch", "update", "watch"}, + + APIGroups: []string{""}, + + Resources: []string{"pods/finalizers"}, + + }, + + { + + Verbs: []string{"get", "list", "watch"}, + + APIGroups: []string{"resource.k8s.io"}, + + Resources: []string{"resourceslices"}, + + }, + }, + AggregationRule: nil, + } + `, + "system:cluster-trust-bundle-discovery": ` any( + + s"&ClusterRole{ObjectMeta:{system:cluster-trust-bundle-discovery 0 0001-01-01 00:00:00 +0000 UTC map[kubernetes.io/bootstrapping:rbac-defaults] map[rbac.authorization.kubernetes.io/autoupdate:true] [] [] []},Rules:[]PolicyRule{PolicyRule{Ver"..., + ) + `, + } + + names := sets.NewString() + roles := map[string]runtime.Object{} + bootstrapRoles := bootstrappolicy.ClusterRoles() + for i := range bootstrapRoles { + role := bootstrapRoles[i] + names.Insert(role.Name) + roles[role.Name] = &role + } + + featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, "AllAlpha", true) + featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, "AllBeta", true) + + bootstrapRoles = bootstrappolicy.ClusterRoles() + featureGateList := &api.List{} + featureGateNames := sets.NewString() + featureGateRoles := map[string]runtime.Object{} + for i := range bootstrapRoles { + role := bootstrapRoles[i] + featureGateNames.Insert(role.Name) + featureGateRoles[role.Name] = &role + actualDiff := cmp.Diff(roles[role.Name], featureGateRoles[role.Name]) + //normalize whitespace + expectedDiffNormalized := strings.Join(strings.Fields(expectedDiff[role.Name]), " ") + actualDiffNormalized := strings.Join(strings.Fields(actualDiff), " ") + if expectedDiffNormalized != actualDiffNormalized { + t.Errorf("RoleName '%s', diff between regular and feature gate. Expected: [%s], Actual: [%s]", role.Name, expectedDiff[role.Name], actualDiff) + } + } + for _, featureGateName := range featureGateNames.List() { + featureGateList.Items = append(featureGateList.Items, featureGateRoles[featureGateName]) + } + + testObjects(t, featureGateList, "cluster-roles-featuregates.yaml") + +} + func TestBootstrapClusterRoleBindings(t *testing.T) { list := &api.List{} names := sets.NewString() diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles-featuregates.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles-featuregates.yaml new file mode 100644 index 00000000000..8e123cf3b68 --- /dev/null +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles-featuregates.yaml @@ -0,0 +1,1478 @@ +apiVersion: v1 +items: +- aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: admin + rules: null +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: cluster-admin + rules: + - apiGroups: + - '*' + resources: + - '*' + verbs: + - '*' + - nonResourceURLs: + - '*' + verbs: + - '*' +- aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.k8s.io/aggregate-to-edit: "true" + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + rbac.authorization.k8s.io/aggregate-to-admin: "true" + name: edit + rules: null +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + rbac.authorization.k8s.io/aggregate-to-admin: "true" + name: system:aggregate-to-admin + rules: + - apiGroups: + - authorization.k8s.io + resources: + - localsubjectaccessreviews + verbs: + - create + - apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + - roles + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: system:aggregate-to-edit + rules: + - apiGroups: + - "" + resources: + - pods/attach + - pods/exec + - pods/portforward + - pods/proxy + - secrets + - services/proxy + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - impersonate + - apiGroups: + - "" + resources: + - pods + - pods/attach + - pods/exec + - pods/portforward + - pods/proxy + verbs: + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "" + resources: + - pods/eviction + verbs: + - create + - apiGroups: + - "" + resources: + - configmaps + - events + - persistentvolumeclaims + - replicationcontrollers + - replicationcontrollers/scale + - secrets + - serviceaccounts + - services + - services/proxy + verbs: + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create + - apiGroups: + - apps + resources: + - daemonsets + - deployments + - deployments/rollback + - deployments/scale + - replicasets + - replicasets/scale + - statefulsets + - statefulsets/scale + verbs: + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - batch + resources: + - cronjobs + - jobs + verbs: + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - extensions + resources: + - daemonsets + - deployments + - deployments/rollback + - deployments/scale + - ingresses + - networkpolicies + - replicasets + - replicasets/scale + - replicationcontrollers/scale + verbs: + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - networking.k8s.io + resources: + - ingresses + - networkpolicies + verbs: + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - resource.k8s.io + resources: + - resourceclaims + - resourceclaimtemplates + verbs: + - create + - delete + - deletecollection + - patch + - update +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: system:aggregate-to-view + rules: + - apiGroups: + - "" + resources: + - configmaps + - endpoints + - persistentvolumeclaims + - persistentvolumeclaims/status + - pods + - replicationcontrollers + - replicationcontrollers/scale + - serviceaccounts + - services + - services/status + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - bindings + - events + - limitranges + - namespaces/status + - pods/log + - pods/status + - replicationcontrollers/status + - resourcequotas + - resourcequotas/status + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch + - apiGroups: + - apps + resources: + - controllerrevisions + - daemonsets + - daemonsets/status + - deployments + - deployments/scale + - deployments/status + - replicasets + - replicasets/scale + - replicasets/status + - statefulsets + - statefulsets/scale + - statefulsets/status + verbs: + - get + - list + - watch + - apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + - horizontalpodautoscalers/status + verbs: + - get + - list + - watch + - apiGroups: + - batch + resources: + - cronjobs + - cronjobs/status + - jobs + - jobs/status + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - daemonsets + - daemonsets/status + - deployments + - deployments/scale + - deployments/status + - ingresses + - ingresses/status + - networkpolicies + - replicasets + - replicasets/scale + - replicasets/status + - replicationcontrollers/scale + verbs: + - get + - list + - watch + - apiGroups: + - policy + resources: + - poddisruptionbudgets + - poddisruptionbudgets/status + verbs: + - get + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingresses + - ingresses/status + - networkpolicies + verbs: + - get + - list + - watch + - apiGroups: + - resource.k8s.io + resources: + - resourceclaims + - resourceclaims/status + - resourceclaimtemplates + verbs: + - get + - list + - watch +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:auth-delegator + rules: + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:basic-user + rules: + - apiGroups: + - authorization.k8s.io + resources: + - selfsubjectaccessreviews + - selfsubjectrulesreviews + verbs: + - create + - apiGroups: + - authentication.k8s.io + resources: + - selfsubjectreviews + verbs: + - create +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:certificates.k8s.io:certificatesigningrequests:nodeclient + rules: + - apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests/nodeclient + verbs: + - create +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:certificates.k8s.io:certificatesigningrequests:selfnodeclient + rules: + - apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests/selfnodeclient + verbs: + - create +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:certificates.k8s.io:kube-apiserver-client-approver + rules: + - apiGroups: + - certificates.k8s.io + resourceNames: + - kubernetes.io/kube-apiserver-client + resources: + - signers + verbs: + - approve +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:certificates.k8s.io:kube-apiserver-client-kubelet-approver + rules: + - apiGroups: + - certificates.k8s.io + resourceNames: + - kubernetes.io/kube-apiserver-client-kubelet + resources: + - signers + verbs: + - approve +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:certificates.k8s.io:kubelet-serving-approver + rules: + - apiGroups: + - certificates.k8s.io + resourceNames: + - kubernetes.io/kubelet-serving + resources: + - signers + verbs: + - approve +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:certificates.k8s.io:legacy-unknown-approver + rules: + - apiGroups: + - certificates.k8s.io + resourceNames: + - kubernetes.io/legacy-unknown + resources: + - signers + verbs: + - approve +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:cluster-trust-bundle-discovery + rules: + - apiGroups: + - certificates.k8s.io + resources: + - clustertrustbundles + verbs: + - get + - list + - watch +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:discovery + rules: + - nonResourceURLs: + - /api + - /api/* + - /apis + - /apis/* + - /healthz + - /livez + - /openapi + - /openapi/* + - /readyz + - /version + - /version/ + verbs: + - get +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:heapster + rules: + - apiGroups: + - "" + resources: + - events + - namespaces + - nodes + - pods + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - deployments + verbs: + - get + - list + - watch +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:kube-aggregator + rules: + - apiGroups: + - "" + resources: + - endpoints + - services + verbs: + - get + - list + - watch +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:kube-controller-manager + rules: + - apiGroups: + - "" + - events.k8s.io + resources: + - events + verbs: + - create + - patch + - update + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - apiGroups: + - coordination.k8s.io + resourceNames: + - kube-controller-manager + resources: + - leases + verbs: + - get + - update + - apiGroups: + - "" + resources: + - secrets + - serviceaccounts + verbs: + - create + - apiGroups: + - "" + resources: + - secrets + verbs: + - delete + - apiGroups: + - "" + resources: + - configmaps + - namespaces + - secrets + - serviceaccounts + verbs: + - get + - apiGroups: + - "" + resources: + - secrets + - serviceaccounts + verbs: + - update + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - apiGroups: + - '*' + resources: + - '*' + verbs: + - list + - watch + - apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:kube-dns + rules: + - apiGroups: + - "" + resources: + - endpoints + - services + verbs: + - list + - watch +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:kube-scheduler + rules: + - apiGroups: + - "" + - events.k8s.io + resources: + - events + verbs: + - create + - patch + - update + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - apiGroups: + - coordination.k8s.io + resourceNames: + - kube-scheduler + resources: + - leases + verbs: + - get + - list + - update + - watch + - apiGroups: + - coordination.k8s.io + resources: + - leasecandidates + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - pods + verbs: + - delete + - get + - list + - watch + - apiGroups: + - "" + resources: + - bindings + - pods/binding + verbs: + - create + - apiGroups: + - "" + resources: + - pods/status + verbs: + - patch + - update + - apiGroups: + - "" + resources: + - replicationcontrollers + - services + verbs: + - get + - list + - watch + - apiGroups: + - apps + - extensions + resources: + - replicasets + verbs: + - get + - list + - watch + - apiGroups: + - apps + resources: + - statefulsets + verbs: + - get + - list + - watch + - apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - persistentvolumeclaims + - persistentvolumes + verbs: + - get + - list + - watch + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - apiGroups: + - storage.k8s.io + resources: + - csinodes + verbs: + - get + - list + - watch + - apiGroups: + - storage.k8s.io + resources: + - volumeattachments + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - storage.k8s.io + resources: + - csidrivers + verbs: + - get + - list + - watch + - apiGroups: + - storage.k8s.io + resources: + - csistoragecapacities + verbs: + - get + - list + - watch + - apiGroups: + - resource.k8s.io + resources: + - deviceclasses + verbs: + - get + - list + - watch + - apiGroups: + - resource.k8s.io + resources: + - resourceclaims + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - resource.k8s.io + resources: + - resourceclaims/status + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - pods/finalizers + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - resource.k8s.io + resources: + - resourceslices + verbs: + - get + - list + - watch +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:kubelet-api-admin + rules: + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - nodes + verbs: + - proxy + - apiGroups: + - "" + resources: + - nodes/log + - nodes/metrics + - nodes/proxy + - nodes/stats + verbs: + - '*' + - apiGroups: + - "" + resources: + - nodes/configz + - nodes/healthz + - nodes/pods + verbs: + - '*' +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:monitoring + rules: + - nonResourceURLs: + - /healthz + - /healthz/* + - /livez + - /livez/* + - /metrics + - /metrics/slis + - /readyz + - /readyz/* + verbs: + - get + - nonResourceURLs: + - /flagz + verbs: + - get + - nonResourceURLs: + - /statusz + verbs: + - get +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:node + rules: + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - localsubjectaccessreviews + - subjectaccessreviews + verbs: + - create + - apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - nodes + verbs: + - create + - get + - list + - watch + - apiGroups: + - "" + resources: + - nodes/status + verbs: + - patch + - update + - apiGroups: + - "" + resources: + - nodes + verbs: + - patch + - update + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - update + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - pods + verbs: + - create + - delete + - apiGroups: + - "" + resources: + - pods/status + verbs: + - patch + - update + - apiGroups: + - "" + resources: + - pods/eviction + verbs: + - create + - apiGroups: + - "" + resources: + - configmaps + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - persistentvolumeclaims + - persistentvolumes + verbs: + - get + - apiGroups: + - "" + resources: + - endpoints + verbs: + - get + - apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + verbs: + - create + - get + - list + - watch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - delete + - get + - patch + - update + - apiGroups: + - storage.k8s.io + resources: + - volumeattachments + verbs: + - get + - apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create + - apiGroups: + - "" + resources: + - persistentvolumeclaims/status + verbs: + - get + - patch + - update + - apiGroups: + - storage.k8s.io + resources: + - csidrivers + verbs: + - get + - list + - watch + - apiGroups: + - storage.k8s.io + resources: + - csinodes + verbs: + - create + - delete + - get + - patch + - update + - apiGroups: + - node.k8s.io + resources: + - runtimeclasses + verbs: + - get + - list + - watch + - apiGroups: + - resource.k8s.io + resources: + - resourceclaims + verbs: + - get + - apiGroups: + - resource.k8s.io + resources: + - resourceslices + verbs: + - deletecollection + - apiGroups: + - certificates.k8s.io + resources: + - clustertrustbundles + verbs: + - get + - list + - watch +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:node-bootstrapper + rules: + - apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + verbs: + - create + - get + - list + - watch +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:node-problem-detector + rules: + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - apiGroups: + - "" + resources: + - nodes/status + verbs: + - patch + - apiGroups: + - "" + - events.k8s.io + resources: + - events + verbs: + - create + - patch + - update +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:node-proxier + rules: + - apiGroups: + - "" + resources: + - endpoints + - services + verbs: + - list + - watch + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch + - apiGroups: + - "" + - events.k8s.io + resources: + - events + verbs: + - create + - patch + - update + - apiGroups: + - networking.k8s.io + resources: + - servicecidrs + verbs: + - list + - watch + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list + - watch +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:persistent-volume-provisioner + rules: + - apiGroups: + - "" + resources: + - persistentvolumes + verbs: + - create + - delete + - get + - list + - watch + - apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - get + - list + - update + - watch + - apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - watch + - apiGroups: + - "" + - events.k8s.io + resources: + - events + verbs: + - create + - patch + - update +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:public-info-viewer + rules: + - nonResourceURLs: + - /healthz + - /livez + - /readyz + - /version + - /version/ + verbs: + - get +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:service-account-issuer-discovery + rules: + - nonResourceURLs: + - /.well-known/openid-configuration + - /.well-known/openid-configuration/ + - /openid/v1/jwks + - /openid/v1/jwks/ + verbs: + - get +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:volume-scheduler + rules: + - apiGroups: + - "" + resources: + - persistentvolumes + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - get + - list + - patch + - update + - watch +- aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: view + rules: null +kind: List +metadata: {}