Merge pull request #82153 from robscott/endpointslice-rbac

Adding EndpointSlice RBAC for node-proxier/kube-proxy

plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go

@@ -352,17 +352,6 @@ func ClusterRoles() []rbacv1.ClusterRole {
 				eventsRule(),
 			},
 		},
-		{
-			// a role to use for setting up a proxy
-			ObjectMeta: metav1.ObjectMeta{Name: "system:node-proxier"},
-			Rules: []rbacv1.PolicyRule{
-				// Used to build serviceLister
-				rbacv1helpers.NewRule("list", "watch").Groups(legacyGroup).Resources("services", "endpoints").RuleOrDie(),
-				rbacv1helpers.NewRule("get").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
-
-				eventsRule(),
-			},
-		},
 		{
 			// a role to use for full access to the kubelet API
 			ObjectMeta: metav1.ObjectMeta{Name: "system:kubelet-api-admin"},
@@ -473,6 +462,21 @@ func ClusterRoles() []rbacv1.ClusterRole {
 		},
 	}
 
+	// node-proxier role is used by kube-proxy.
+	nodeProxierRules := []rbacv1.PolicyRule{
+		rbacv1helpers.NewRule("list", "watch").Groups(legacyGroup).Resources("services", "endpoints").RuleOrDie(),
+		rbacv1helpers.NewRule("get").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
+
+		eventsRule(),
+	}
+	if utilfeature.DefaultFeatureGate.Enabled(features.EndpointSlice) {
+		nodeProxierRules = append(nodeProxierRules, rbacv1helpers.NewRule("list", "watch").Groups(discoveryGroup).Resources("endpointslices").RuleOrDie())
+	}
+	roles = append(roles, rbacv1.ClusterRole{
+		ObjectMeta: metav1.ObjectMeta{Name: "system:node-proxier"},
+		Rules:      nodeProxierRules,
+	})
+
 	kubeSchedulerRules := []rbacv1.PolicyRule{
 		eventsRule(),
 		// This is for leaderlease access