mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 19:56:01 +00:00
allow the token controller to get, update secrets
we need this on secret rotation here:
2c1c0f3f72/pkg/controller/serviceaccount/tokens_controller.go (L478-L481)
This commit is contained in:
parent
33d036a564
commit
32735173df
@ -300,8 +300,8 @@ func ClusterRoles() []rbac.ClusterRole {
|
||||
eventsRule(),
|
||||
rbac.NewRule("create").Groups(legacyGroup).Resources("endpoints", "secrets", "serviceaccounts").RuleOrDie(),
|
||||
rbac.NewRule("delete").Groups(legacyGroup).Resources("secrets").RuleOrDie(),
|
||||
rbac.NewRule("get").Groups(legacyGroup).Resources("endpoints", "namespaces", "serviceaccounts").RuleOrDie(),
|
||||
rbac.NewRule("update").Groups(legacyGroup).Resources("endpoints", "serviceaccounts").RuleOrDie(),
|
||||
rbac.NewRule("get").Groups(legacyGroup).Resources("endpoints", "namespaces", "secrets", "serviceaccounts").RuleOrDie(),
|
||||
rbac.NewRule("update").Groups(legacyGroup).Resources("endpoints", "secrets", "serviceaccounts").RuleOrDie(),
|
||||
// Needed to check API access. These creates are non-mutating
|
||||
rbac.NewRule("create").Groups(authenticationGroup).Resources("tokenreviews").RuleOrDie(),
|
||||
|
||||
|
@ -460,6 +460,7 @@ items:
|
||||
resources:
|
||||
- endpoints
|
||||
- namespaces
|
||||
- secrets
|
||||
- serviceaccounts
|
||||
verbs:
|
||||
- get
|
||||
@ -467,6 +468,7 @@ items:
|
||||
- ""
|
||||
resources:
|
||||
- endpoints
|
||||
- secrets
|
||||
- serviceaccounts
|
||||
verbs:
|
||||
- update
|
||||
|
Loading…
Reference in New Issue
Block a user