Merge pull request #82153 from robscott/endpointslice-rbac

Adding EndpointSlice RBAC for node-proxier/kube-proxy
2025-07-21 10:51:29 +00:00 · 2019-08-30 13:05:14 -07:00 · 2019-08-30 13:05:14 -07:00 · 0ff92e36f2
commit 0ff92e36f2
parent 0466cb6e69 1f5070e81c
1 changed files with 15 additions and 11 deletions
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
@ -352,17 +352,6 @@ func ClusterRoles() []rbacv1.ClusterRole {
 				eventsRule(),
 			},
 		},
 		{
 			// a role to use for setting up a proxy
 			ObjectMeta: metav1.ObjectMeta{Name: "system:node-proxier"},
 			Rules: []rbacv1.PolicyRule{
 				// Used to build serviceLister
 				rbacv1helpers.NewRule("list", "watch").Groups(legacyGroup).Resources("services", "endpoints").RuleOrDie(),
 				rbacv1helpers.NewRule("get").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
 				eventsRule(),
 			},
 		},
 		{
 			// a role to use for full access to the kubelet API
 			ObjectMeta: metav1.ObjectMeta{Name: "system:kubelet-api-admin"},
@ -473,6 +462,21 @@ func ClusterRoles() []rbacv1.ClusterRole {
 		},
 	}
 	// node-proxier role is used by kube-proxy.
 	nodeProxierRules := []rbacv1.PolicyRule{
 		rbacv1helpers.NewRule("list", "watch").Groups(legacyGroup).Resources("services", "endpoints").RuleOrDie(),
 		rbacv1helpers.NewRule("get").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
 		eventsRule(),
 	}
 	if utilfeature.DefaultFeatureGate.Enabled(features.EndpointSlice) {
 		nodeProxierRules = append(nodeProxierRules, rbacv1helpers.NewRule("list", "watch").Groups(discoveryGroup).Resources("endpointslices").RuleOrDie())
 	}
 	roles = append(roles, rbacv1.ClusterRole{
 		ObjectMeta: metav1.ObjectMeta{Name: "system:node-proxier"},
 		Rules:      nodeProxierRules,
 	})
 	kubeSchedulerRules := []rbacv1.PolicyRule{
 		eventsRule(),
 		// This is for leaderlease access