From 363e861aeb19b362e0ef0fa7fcd8f034d0dce17c Mon Sep 17 00:00:00 2001 From: Mike Danese Date: Fri, 23 Feb 2018 13:15:33 -0800 Subject: [PATCH] rbac: allow system:node role to make TokenRequests for all service accounts --- plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go index 3f5f54e3b61..7daa7b2d712 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go @@ -146,6 +146,13 @@ func NodeRules() []rbac.PolicyRule { nodePolicyRules = append(nodePolicyRules, pvcStatusPolicyRule) } + if utilfeature.DefaultFeatureGate.Enabled(features.TokenRequest) { + // Use the Node authorization to limit a node to create tokens for service accounts running on that node + // Use the NodeRestriction admission plugin to limit a node to create tokens bound to pods on that node + tokenRequestRule := rbac.NewRule("create").Groups(legacyGroup).Resources("serviceaccounts/token").RuleOrDie() + nodePolicyRules = append(nodePolicyRules, tokenRequestRule) + } + // CSI if utilfeature.DefaultFeatureGate.Enabled(features.CSIPersistentVolume) { volAttachRule := rbac.NewRule("get").Groups(storageGroup).Resources("volumeattachments").RuleOrDie()