From 32735173dfd081997066bfaeb9b2783bc9f52f51 Mon Sep 17 00:00:00 2001
From: Mike Danese <mikedanese@google.com>
Date: Tue, 18 Apr 2017 16:53:33 -0700
Subject: [PATCH] allow the token controller to get, update secrets

we need this on secret rotation here:

https://github.com/kubernetes/kubernetes/blob/2c1c0f3f7295e0d00651d6e30cfcda56239275e4/pkg/controller/serviceaccount/tokens_controller.go#L478-L481
---
 plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go     | 4 ++--
 .../rbac/bootstrappolicy/testdata/cluster-roles.yaml          | 2 ++
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
index 2ab19875505..4343ec52430 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
@@ -300,8 +300,8 @@ func ClusterRoles() []rbac.ClusterRole {
 				eventsRule(),
 				rbac.NewRule("create").Groups(legacyGroup).Resources("endpoints", "secrets", "serviceaccounts").RuleOrDie(),
 				rbac.NewRule("delete").Groups(legacyGroup).Resources("secrets").RuleOrDie(),
-				rbac.NewRule("get").Groups(legacyGroup).Resources("endpoints", "namespaces", "serviceaccounts").RuleOrDie(),
-				rbac.NewRule("update").Groups(legacyGroup).Resources("endpoints", "serviceaccounts").RuleOrDie(),
+				rbac.NewRule("get").Groups(legacyGroup).Resources("endpoints", "namespaces", "secrets", "serviceaccounts").RuleOrDie(),
+				rbac.NewRule("update").Groups(legacyGroup).Resources("endpoints", "secrets", "serviceaccounts").RuleOrDie(),
 				// Needed to check API access.  These creates are non-mutating
 				rbac.NewRule("create").Groups(authenticationGroup).Resources("tokenreviews").RuleOrDie(),
 
diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
index 53193e4017c..88feeb64ff3 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
@@ -460,6 +460,7 @@ items:
     resources:
     - endpoints
     - namespaces
+    - secrets
     - serviceaccounts
     verbs:
     - get
@@ -467,6 +468,7 @@ items:
     - ""
     resources:
     - endpoints
+    - secrets
     - serviceaccounts
     verbs:
     - update