mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-22 11:21:47 +00:00
Merge pull request #71021 from liggitt/node-self-deletion
Remove self-deletion permissions from kubelets
This commit is contained in:
commit
1a54fd4319
@ -107,7 +107,7 @@ func NodeRules() []rbacv1.PolicyRule {
|
||||
// Use the NodeRestriction admission plugin to limit a node to creating/updating its own API object.
|
||||
rbacv1helpers.NewRule("create", "get", "list", "watch").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
|
||||
rbacv1helpers.NewRule("update", "patch").Groups(legacyGroup).Resources("nodes/status").RuleOrDie(),
|
||||
rbacv1helpers.NewRule("update", "patch", "delete").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
|
||||
rbacv1helpers.NewRule("update", "patch").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
|
||||
|
||||
// TODO: restrict to the bound node as creator in the NodeRestrictions admission plugin
|
||||
rbacv1helpers.NewRule("create", "update", "patch").Groups(legacyGroup).Resources("events").RuleOrDie(),
|
||||
|
@ -882,7 +882,6 @@ items:
|
||||
resources:
|
||||
- nodes
|
||||
verbs:
|
||||
- delete
|
||||
- patch
|
||||
- update
|
||||
- apiGroups:
|
||||
|
@ -530,7 +530,10 @@ func TestNodeAuthorizer(t *testing.T) {
|
||||
expectAllowed(t, createNode2MirrorPodEviction(node2Client))
|
||||
expectAllowed(t, createNode2(node2Client))
|
||||
expectAllowed(t, updateNode2Status(node2Client))
|
||||
expectAllowed(t, deleteNode2(node2Client))
|
||||
// self deletion is not allowed
|
||||
expectForbidden(t, deleteNode2(node2Client))
|
||||
// clean up node2
|
||||
expectAllowed(t, deleteNode2(superuserClient))
|
||||
|
||||
// create a pod as an admin to add object references
|
||||
expectAllowed(t, createNode2NormalPod(superuserClient))
|
||||
@ -621,7 +624,7 @@ func TestNodeAuthorizer(t *testing.T) {
|
||||
// node2 can no longer get the configmap after it is unassigned as its config source
|
||||
expectForbidden(t, getConfigMapConfigSource(node2Client))
|
||||
// clean up node2
|
||||
expectAllowed(t, deleteNode2(node2Client))
|
||||
expectAllowed(t, deleteNode2(superuserClient))
|
||||
|
||||
//TODO(mikedanese): integration test node restriction of TokenRequest
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user