From 1f5070e81c0b22c70867ff1256c275b3f93e10b3 Mon Sep 17 00:00:00 2001 From: Rob Scott Date: Thu, 29 Aug 2019 16:55:18 -0700 Subject: [PATCH] Adding EndpointSlice RBAC for node-proxier/kube-proxy --- .../authorizer/rbac/bootstrappolicy/policy.go | 26 +++++++++++-------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go index 4e9433a69b9..f4a978673b0 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go @@ -351,17 +351,6 @@ func ClusterRoles() []rbacv1.ClusterRole { eventsRule(), }, }, - { - // a role to use for setting up a proxy - ObjectMeta: metav1.ObjectMeta{Name: "system:node-proxier"}, - Rules: []rbacv1.PolicyRule{ - // Used to build serviceLister - rbacv1helpers.NewRule("list", "watch").Groups(legacyGroup).Resources("services", "endpoints").RuleOrDie(), - rbacv1helpers.NewRule("get").Groups(legacyGroup).Resources("nodes").RuleOrDie(), - - eventsRule(), - }, - }, { // a role to use for full access to the kubelet API ObjectMeta: metav1.ObjectMeta{Name: "system:kubelet-api-admin"}, @@ -472,6 +461,21 @@ func ClusterRoles() []rbacv1.ClusterRole { }, } + // node-proxier role is used by kube-proxy. + nodeProxierRules := []rbacv1.PolicyRule{ + rbacv1helpers.NewRule("list", "watch").Groups(legacyGroup).Resources("services", "endpoints").RuleOrDie(), + rbacv1helpers.NewRule("get").Groups(legacyGroup).Resources("nodes").RuleOrDie(), + + eventsRule(), + } + if utilfeature.DefaultFeatureGate.Enabled(features.EndpointSlice) { + nodeProxierRules = append(nodeProxierRules, rbacv1helpers.NewRule("list", "watch").Groups(discoveryGroup).Resources("endpointslices").RuleOrDie()) + } + roles = append(roles, rbacv1.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{Name: "system:node-proxier"}, + Rules: nodeProxierRules, + }) + kubeSchedulerRules := []rbacv1.PolicyRule{ eventsRule(), // This is for leaderlease access