diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go index e5311064e6e..297cc8e9185 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go @@ -50,7 +50,7 @@ func addControllerRole(controllerRoles *[]rbacv1.ClusterRole, controllerRoleBind } func eventsRule() rbacv1.PolicyRule { - return rbacv1helpers.NewRule("create", "update", "patch").Groups(legacyGroup).Resources("events").RuleOrDie() + return rbacv1helpers.NewRule("create", "update", "patch").Groups(legacyGroup, eventsGroup).Resources("events").RuleOrDie() } func buildControllerRoles() ([]rbacv1.ClusterRole, []rbacv1.ClusterRoleBinding) { diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go index 5293683e142..3229fe245ea 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go @@ -52,6 +52,7 @@ const ( resMetricsGroup = "metrics.k8s.io" customMetricsGroup = "custom.metrics.k8s.io" networkingGroup = "networking.k8s.io" + eventsGroup = "events.k8s.io" ) func addDefaultMetadata(obj runtime.Object) { diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml index a7d28c1385d..e3fd054bd5a 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml @@ -600,6 +600,7 @@ items: rules: - apiGroups: - "" + - events.k8s.io resources: - events verbs: @@ -693,6 +694,7 @@ items: rules: - apiGroups: - "" + - events.k8s.io resources: - events verbs: @@ -1064,6 +1066,7 @@ items: - patch - apiGroups: - "" + - events.k8s.io resources: - events verbs: @@ -1096,6 +1099,7 @@ items: - get - apiGroups: - "" + - events.k8s.io resources: - events verbs: @@ -1147,6 +1151,7 @@ items: - watch - apiGroups: - "" + - events.k8s.io resources: - events verbs: diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml index 411a2749d11..31052cb695a 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml @@ -42,6 +42,7 @@ items: - watch - apiGroups: - "" + - events.k8s.io resources: - events verbs: @@ -100,6 +101,7 @@ items: - create - apiGroups: - "" + - events.k8s.io resources: - events verbs: @@ -178,6 +180,7 @@ items: - list - apiGroups: - "" + - events.k8s.io resources: - events verbs: @@ -254,6 +257,7 @@ items: - watch - apiGroups: - "" + - events.k8s.io resources: - events verbs: @@ -318,6 +322,7 @@ items: - watch - apiGroups: - "" + - events.k8s.io resources: - events verbs: @@ -390,6 +395,7 @@ items: - get - apiGroups: - "" + - events.k8s.io resources: - events verbs: @@ -433,6 +439,7 @@ items: - create - apiGroups: - "" + - events.k8s.io resources: - events verbs: @@ -497,6 +504,7 @@ items: - get - apiGroups: - "" + - events.k8s.io resources: - events verbs: @@ -526,6 +534,7 @@ items: - watch - apiGroups: - "" + - events.k8s.io resources: - events verbs: @@ -593,6 +602,7 @@ items: - list - apiGroups: - "" + - events.k8s.io resources: - events verbs: @@ -642,6 +652,7 @@ items: - watch - apiGroups: - "" + - events.k8s.io resources: - events verbs: @@ -725,6 +736,7 @@ items: - list - apiGroups: - "" + - events.k8s.io resources: - events verbs: @@ -829,6 +841,7 @@ items: - watch - apiGroups: - "" + - events.k8s.io resources: - events verbs: @@ -880,6 +893,7 @@ items: - watch - apiGroups: - "" + - events.k8s.io resources: - events verbs: @@ -915,6 +929,7 @@ items: - watch - apiGroups: - "" + - events.k8s.io resources: - events verbs: @@ -967,6 +982,7 @@ items: - watch - apiGroups: - "" + - events.k8s.io resources: - events verbs: @@ -1016,6 +1032,7 @@ items: - watch - apiGroups: - "" + - events.k8s.io resources: - events verbs: @@ -1047,6 +1064,7 @@ items: - update - apiGroups: - "" + - events.k8s.io resources: - events verbs: @@ -1078,6 +1096,7 @@ items: - patch - apiGroups: - "" + - events.k8s.io resources: - events verbs: @@ -1102,6 +1121,7 @@ items: - create - apiGroups: - "" + - events.k8s.io resources: - events verbs: @@ -1142,6 +1162,7 @@ items: - watch - apiGroups: - "" + - events.k8s.io resources: - events verbs: @@ -1216,6 +1237,7 @@ items: - get - apiGroups: - "" + - events.k8s.io resources: - events verbs: @@ -1243,6 +1265,7 @@ items: - watch - apiGroups: - "" + - events.k8s.io resources: - events verbs: diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/namespace-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/namespace-roles.yaml index efcc4bdbe19..875435e7319 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/namespace-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/namespace-roles.yaml @@ -29,6 +29,7 @@ items: - update - apiGroups: - "" + - events.k8s.io resources: - events verbs: @@ -167,6 +168,7 @@ items: - watch - apiGroups: - "" + - events.k8s.io resources: - events verbs: