github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-09-21 18:11:22 +00:00
Code Issues Projects Releases Wiki Activity

allow the token controller to get, update secrets

Browse Source 
we need this on secret rotation here:

2c1c0f3f72/pkg/controller/serviceaccount/tokens_controller.go (L478-L481)
This commit is contained in:
Mike Danese
2017-04-18 16:53:33 -07:00
parent 33d036a564
commit 32735173df
2 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
View File

@@ -300,8 +300,8 @@ func ClusterRoles() []rbac.ClusterRole {
eventsRule(),
rbac.NewRule("create").Groups(legacyGroup).Resources("endpoints", "secrets", "serviceaccounts").RuleOrDie(),
rbac.NewRule("delete").Groups(legacyGroup).Resources("secrets").RuleOrDie(),
rbac.NewRule("get").Groups(legacyGroup).Resources("endpoints", "namespaces", "serviceaccounts").RuleOrDie(),
rbac.NewRule("update").Groups(legacyGroup).Resources("endpoints", "serviceaccounts").RuleOrDie(),
rbac.NewRule("get").Groups(legacyGroup).Resources("endpoints", "namespaces", "secrets", "serviceaccounts").RuleOrDie(),
rbac.NewRule("update").Groups(legacyGroup).Resources("endpoints", "secrets", "serviceaccounts").RuleOrDie(),
// Needed to check API access. These creates are non-mutating
rbac.NewRule("create").Groups(authenticationGroup).Resources("tokenreviews").RuleOrDie(),

2
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml vendored
View File

@@ -460,6 +460,7 @@ items:
resources:
- endpoints
- namespaces
- secrets
- serviceaccounts
verbs:
- get
@@ -467,6 +468,7 @@ items:
- ""
resources:
- endpoints
- secrets
- serviceaccounts
verbs:
- update