From 3789051726d45fc01aa70afc566ad40b7ab360e6 Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Fri, 20 Oct 2017 12:31:42 -0400 Subject: [PATCH] Update bootstrap policy with replicaset/daemonset permissions in the apps API group --- .../rbac/bootstrappolicy/controller_policy.go | 10 +++++----- .../authorizer/rbac/bootstrappolicy/policy.go | 15 +++++++++++---- .../bootstrappolicy/testdata/cluster-roles.yaml | 10 ++++++++++ .../testdata/controller-roles.yaml | 5 +++++ 4 files changed, 31 insertions(+), 9 deletions(-) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go index f81abc720c2..52b1d6fc1a3 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go @@ -98,7 +98,7 @@ func buildControllerRoles() ([]rbac.ClusterRole, []rbac.ClusterRoleBinding) { rbac.NewRule("get", "list", "watch", "update").Groups(extensionsGroup, appsGroup).Resources("deployments").RuleOrDie(), rbac.NewRule("update").Groups(extensionsGroup, appsGroup).Resources("deployments/status").RuleOrDie(), rbac.NewRule("update").Groups(extensionsGroup, appsGroup).Resources("deployments/finalizers").RuleOrDie(), - rbac.NewRule("get", "list", "watch", "create", "update", "patch", "delete").Groups(extensionsGroup).Resources("replicasets").RuleOrDie(), + rbac.NewRule("get", "list", "watch", "create", "update", "patch", "delete").Groups(appsGroup, extensionsGroup).Resources("replicasets").RuleOrDie(), // TODO: remove "update" once // https://github.com/kubernetes/kubernetes/issues/36897 is resolved. rbac.NewRule("get", "list", "watch", "update").Groups(legacyGroup).Resources("pods").RuleOrDie(), @@ -109,7 +109,7 @@ func buildControllerRoles() ([]rbac.ClusterRole, []rbac.ClusterRoleBinding) { ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "disruption-controller"}, Rules: []rbac.PolicyRule{ rbac.NewRule("get", "list", "watch").Groups(extensionsGroup, appsGroup).Resources("deployments").RuleOrDie(), - rbac.NewRule("get", "list", "watch").Groups(extensionsGroup).Resources("replicasets").RuleOrDie(), + rbac.NewRule("get", "list", "watch").Groups(appsGroup, extensionsGroup).Resources("replicasets").RuleOrDie(), rbac.NewRule("get", "list", "watch").Groups(legacyGroup).Resources("replicationcontrollers").RuleOrDie(), rbac.NewRule("get", "list", "watch").Groups(policyGroup).Resources("poddisruptionbudgets").RuleOrDie(), rbac.NewRule("get", "list", "watch").Groups(appsGroup).Resources("statefulsets").RuleOrDie(), @@ -230,9 +230,9 @@ func buildControllerRoles() ([]rbac.ClusterRole, []rbac.ClusterRoleBinding) { addControllerRole(&controllerRoles, &controllerRoleBindings, rbac.ClusterRole{ ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "replicaset-controller"}, Rules: []rbac.PolicyRule{ - rbac.NewRule("get", "list", "watch", "update").Groups(extensionsGroup).Resources("replicasets").RuleOrDie(), - rbac.NewRule("update").Groups(extensionsGroup).Resources("replicasets/status").RuleOrDie(), - rbac.NewRule("update").Groups(extensionsGroup).Resources("replicasets/finalizers").RuleOrDie(), + rbac.NewRule("get", "list", "watch", "update").Groups(appsGroup, extensionsGroup).Resources("replicasets").RuleOrDie(), + rbac.NewRule("update").Groups(appsGroup, extensionsGroup).Resources("replicasets/status").RuleOrDie(), + rbac.NewRule("update").Groups(appsGroup, extensionsGroup).Resources("replicasets/finalizers").RuleOrDie(), rbac.NewRule("list", "watch", "patch", "create", "delete").Groups(legacyGroup).Resources("pods").RuleOrDie(), eventsRule(), }, diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go index bea311c7ce9..7548ce78a0b 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go @@ -188,7 +188,9 @@ func ClusterRoles() []rbac.ClusterRole { rbac.NewRule("impersonate").Groups(legacyGroup).Resources("serviceaccounts").RuleOrDie(), rbac.NewRule(ReadWrite...).Groups(appsGroup).Resources("statefulsets", - "deployments", "deployments/scale", "deployments/rollback").RuleOrDie(), + "daemonsets", + "deployments", "deployments/scale", "deployments/rollback", + "replicasets", "replicasets/scale").RuleOrDie(), rbac.NewRule(ReadWrite...).Groups(autoscalingGroup).Resources("horizontalpodautoscalers").RuleOrDie(), @@ -222,7 +224,9 @@ func ClusterRoles() []rbac.ClusterRole { rbac.NewRule("impersonate").Groups(legacyGroup).Resources("serviceaccounts").RuleOrDie(), rbac.NewRule(ReadWrite...).Groups(appsGroup).Resources("statefulsets", - "deployments", "deployments/scale", "deployments/rollback").RuleOrDie(), + "daemonsets", + "deployments", "deployments/scale", "deployments/rollback", + "replicasets", "replicasets/scale").RuleOrDie(), rbac.NewRule(ReadWrite...).Groups(autoscalingGroup).Resources("horizontalpodautoscalers").RuleOrDie(), @@ -248,7 +252,10 @@ func ClusterRoles() []rbac.ClusterRole { // indicator of which namespaces you have access to. rbac.NewRule(Read...).Groups(legacyGroup).Resources("namespaces").RuleOrDie(), - rbac.NewRule(Read...).Groups(appsGroup).Resources("statefulsets", "deployments", "deployments/scale").RuleOrDie(), + rbac.NewRule(Read...).Groups(appsGroup).Resources("statefulsets", + "daemonsets", + "deployments", "deployments/scale", + "replicasets", "replicasets/scale").RuleOrDie(), rbac.NewRule(Read...).Groups(autoscalingGroup).Resources("horizontalpodautoscalers").RuleOrDie(), @@ -353,7 +360,7 @@ func ClusterRoles() []rbac.ClusterRole { rbac.NewRule("update").Groups(legacyGroup).Resources("pods/status").RuleOrDie(), // things that select pods rbac.NewRule(Read...).Groups(legacyGroup).Resources("services", "replicationcontrollers").RuleOrDie(), - rbac.NewRule(Read...).Groups(extensionsGroup).Resources("replicasets").RuleOrDie(), + rbac.NewRule(Read...).Groups(appsGroup, extensionsGroup).Resources("replicasets").RuleOrDie(), rbac.NewRule(Read...).Groups(appsGroup).Resources("statefulsets").RuleOrDie(), // things that pods use rbac.NewRule(Read...).Groups(legacyGroup).Resources("persistentvolumeclaims", "persistentvolumes").RuleOrDie(), diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml index 4c6bf1e71a0..5c27ee1a89a 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml @@ -81,9 +81,12 @@ items: - apiGroups: - apps resources: + - daemonsets - deployments - deployments/rollback - deployments/scale + - replicasets + - replicasets/scale - statefulsets verbs: - create @@ -275,9 +278,12 @@ items: - apiGroups: - apps resources: + - daemonsets - deployments - deployments/rollback - deployments/scale + - replicasets + - replicasets/scale - statefulsets verbs: - create @@ -644,6 +650,7 @@ items: - list - watch - apiGroups: + - apps - extensions resources: - replicasets @@ -971,8 +978,11 @@ items: - apiGroups: - apps resources: + - daemonsets - deployments - deployments/scale + - replicasets + - replicasets/scale - statefulsets verbs: - get diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml index bc24fa3cf25..fdaf6b6cee6 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml @@ -255,6 +255,7 @@ items: verbs: - update - apiGroups: + - apps - extensions resources: - replicasets @@ -303,6 +304,7 @@ items: - list - watch - apiGroups: + - apps - extensions resources: - replicasets @@ -765,6 +767,7 @@ items: name: system:controller:replicaset-controller rules: - apiGroups: + - apps - extensions resources: - replicasets @@ -774,12 +777,14 @@ items: - update - watch - apiGroups: + - apps - extensions resources: - replicasets/status verbs: - update - apiGroups: + - apps - extensions resources: - replicasets/finalizers