mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-08-10 12:32:03 +00:00
Update bootstrap policy with replicaset/daemonset permissions in the apps API group
This commit is contained in:
Jordan Liggitt
parent
e3e2e24cc5
commit
3789051726
@ -98,7 +98,7 @@ func buildControllerRoles() ([]rbac.ClusterRole, []rbac.ClusterRoleBinding) {
|
|||||||
rbac.NewRule("get", "list", "watch", "update").Groups(extensionsGroup, appsGroup).Resources("deployments").RuleOrDie(),
|
rbac.NewRule("get", "list", "watch", "update").Groups(extensionsGroup, appsGroup).Resources("deployments").RuleOrDie(),
|
||||||
rbac.NewRule("update").Groups(extensionsGroup, appsGroup).Resources("deployments/status").RuleOrDie(),
|
rbac.NewRule("update").Groups(extensionsGroup, appsGroup).Resources("deployments/status").RuleOrDie(),
|
||||||
rbac.NewRule("update").Groups(extensionsGroup, appsGroup).Resources("deployments/finalizers").RuleOrDie(),
|
rbac.NewRule("update").Groups(extensionsGroup, appsGroup).Resources("deployments/finalizers").RuleOrDie(),
|
||||||
rbac.NewRule("get", "list", "watch", "create", "update", "patch", "delete").Groups(extensionsGroup).Resources("replicasets").RuleOrDie(),
|
rbac.NewRule("get", "list", "watch", "create", "update", "patch", "delete").Groups(appsGroup, extensionsGroup).Resources("replicasets").RuleOrDie(),
|
||||||
// TODO: remove "update" once
|
// TODO: remove "update" once
|
||||||
// https://github.com/kubernetes/kubernetes/issues/36897 is resolved.
|
// https://github.com/kubernetes/kubernetes/issues/36897 is resolved.
|
||||||
rbac.NewRule("get", "list", "watch", "update").Groups(legacyGroup).Resources("pods").RuleOrDie(),
|
rbac.NewRule("get", "list", "watch", "update").Groups(legacyGroup).Resources("pods").RuleOrDie(),
|
||||||
@ -109,7 +109,7 @@ func buildControllerRoles() ([]rbac.ClusterRole, []rbac.ClusterRoleBinding) {
|
|||||||
ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "disruption-controller"},
|
ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "disruption-controller"},
|
||||||
Rules: []rbac.PolicyRule{
|
Rules: []rbac.PolicyRule{
|
||||||
rbac.NewRule("get", "list", "watch").Groups(extensionsGroup, appsGroup).Resources("deployments").RuleOrDie(),
|
rbac.NewRule("get", "list", "watch").Groups(extensionsGroup, appsGroup).Resources("deployments").RuleOrDie(),
|
||||||
rbac.NewRule("get", "list", "watch").Groups(extensionsGroup).Resources("replicasets").RuleOrDie(),
|
rbac.NewRule("get", "list", "watch").Groups(appsGroup, extensionsGroup).Resources("replicasets").RuleOrDie(),
|
||||||
rbac.NewRule("get", "list", "watch").Groups(legacyGroup).Resources("replicationcontrollers").RuleOrDie(),
|
rbac.NewRule("get", "list", "watch").Groups(legacyGroup).Resources("replicationcontrollers").RuleOrDie(),
|
||||||
rbac.NewRule("get", "list", "watch").Groups(policyGroup).Resources("poddisruptionbudgets").RuleOrDie(),
|
rbac.NewRule("get", "list", "watch").Groups(policyGroup).Resources("poddisruptionbudgets").RuleOrDie(),
|
||||||
rbac.NewRule("get", "list", "watch").Groups(appsGroup).Resources("statefulsets").RuleOrDie(),
|
rbac.NewRule("get", "list", "watch").Groups(appsGroup).Resources("statefulsets").RuleOrDie(),
|
||||||
@ -230,9 +230,9 @@ func buildControllerRoles() ([]rbac.ClusterRole, []rbac.ClusterRoleBinding) {
|
|||||||
addControllerRole(&controllerRoles, &controllerRoleBindings, rbac.ClusterRole{
|
addControllerRole(&controllerRoles, &controllerRoleBindings, rbac.ClusterRole{
|
||||||
ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "replicaset-controller"},
|
ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "replicaset-controller"},
|
||||||
Rules: []rbac.PolicyRule{
|
Rules: []rbac.PolicyRule{
|
||||||
rbac.NewRule("get", "list", "watch", "update").Groups(extensionsGroup).Resources("replicasets").RuleOrDie(),
|
rbac.NewRule("get", "list", "watch", "update").Groups(appsGroup, extensionsGroup).Resources("replicasets").RuleOrDie(),
|
||||||
rbac.NewRule("update").Groups(extensionsGroup).Resources("replicasets/status").RuleOrDie(),
|
rbac.NewRule("update").Groups(appsGroup, extensionsGroup).Resources("replicasets/status").RuleOrDie(),
|
||||||
rbac.NewRule("update").Groups(extensionsGroup).Resources("replicasets/finalizers").RuleOrDie(),
|
rbac.NewRule("update").Groups(appsGroup, extensionsGroup).Resources("replicasets/finalizers").RuleOrDie(),
|
||||||
rbac.NewRule("list", "watch", "patch", "create", "delete").Groups(legacyGroup).Resources("pods").RuleOrDie(),
|
rbac.NewRule("list", "watch", "patch", "create", "delete").Groups(legacyGroup).Resources("pods").RuleOrDie(),
|
||||||
eventsRule(),
|
eventsRule(),
|
||||||
},
|
},
|
||||||
|
|||||||
@ -188,7 +188,9 @@ func ClusterRoles() []rbac.ClusterRole {
|
|||||||
rbac.NewRule("impersonate").Groups(legacyGroup).Resources("serviceaccounts").RuleOrDie(),
|
rbac.NewRule("impersonate").Groups(legacyGroup).Resources("serviceaccounts").RuleOrDie(),
|
||||||
|
|
||||||
rbac.NewRule(ReadWrite...).Groups(appsGroup).Resources("statefulsets",
|
rbac.NewRule(ReadWrite...).Groups(appsGroup).Resources("statefulsets",
|
||||||
"deployments", "deployments/scale", "deployments/rollback").RuleOrDie(),
|
"daemonsets",
|
||||||
|
"deployments", "deployments/scale", "deployments/rollback",
|
||||||
|
"replicasets", "replicasets/scale").RuleOrDie(),
|
||||||
|
|
||||||
rbac.NewRule(ReadWrite...).Groups(autoscalingGroup).Resources("horizontalpodautoscalers").RuleOrDie(),
|
rbac.NewRule(ReadWrite...).Groups(autoscalingGroup).Resources("horizontalpodautoscalers").RuleOrDie(),
|
||||||
|
|
||||||
@ -222,7 +224,9 @@ func ClusterRoles() []rbac.ClusterRole {
|
|||||||
rbac.NewRule("impersonate").Groups(legacyGroup).Resources("serviceaccounts").RuleOrDie(),
|
rbac.NewRule("impersonate").Groups(legacyGroup).Resources("serviceaccounts").RuleOrDie(),
|
||||||
|
|
||||||
rbac.NewRule(ReadWrite...).Groups(appsGroup).Resources("statefulsets",
|
rbac.NewRule(ReadWrite...).Groups(appsGroup).Resources("statefulsets",
|
||||||
"deployments", "deployments/scale", "deployments/rollback").RuleOrDie(),
|
"daemonsets",
|
||||||
|
"deployments", "deployments/scale", "deployments/rollback",
|
||||||
|
"replicasets", "replicasets/scale").RuleOrDie(),
|
||||||
|
|
||||||
rbac.NewRule(ReadWrite...).Groups(autoscalingGroup).Resources("horizontalpodautoscalers").RuleOrDie(),
|
rbac.NewRule(ReadWrite...).Groups(autoscalingGroup).Resources("horizontalpodautoscalers").RuleOrDie(),
|
||||||
|
|
||||||
@ -248,7 +252,10 @@ func ClusterRoles() []rbac.ClusterRole {
|
|||||||
// indicator of which namespaces you have access to.
|
// indicator of which namespaces you have access to.
|
||||||
rbac.NewRule(Read...).Groups(legacyGroup).Resources("namespaces").RuleOrDie(),
|
rbac.NewRule(Read...).Groups(legacyGroup).Resources("namespaces").RuleOrDie(),
|
||||||
|
|
||||||
rbac.NewRule(Read...).Groups(appsGroup).Resources("statefulsets", "deployments", "deployments/scale").RuleOrDie(),
|
rbac.NewRule(Read...).Groups(appsGroup).Resources("statefulsets",
|
||||||
|
"daemonsets",
|
||||||
|
"deployments", "deployments/scale",
|
||||||
|
"replicasets", "replicasets/scale").RuleOrDie(),
|
||||||
|
|
||||||
rbac.NewRule(Read...).Groups(autoscalingGroup).Resources("horizontalpodautoscalers").RuleOrDie(),
|
rbac.NewRule(Read...).Groups(autoscalingGroup).Resources("horizontalpodautoscalers").RuleOrDie(),
|
||||||
|
|
||||||
@ -353,7 +360,7 @@ func ClusterRoles() []rbac.ClusterRole {
|
|||||||
rbac.NewRule("update").Groups(legacyGroup).Resources("pods/status").RuleOrDie(),
|
rbac.NewRule("update").Groups(legacyGroup).Resources("pods/status").RuleOrDie(),
|
||||||
// things that select pods
|
// things that select pods
|
||||||
rbac.NewRule(Read...).Groups(legacyGroup).Resources("services", "replicationcontrollers").RuleOrDie(),
|
rbac.NewRule(Read...).Groups(legacyGroup).Resources("services", "replicationcontrollers").RuleOrDie(),
|
||||||
rbac.NewRule(Read...).Groups(extensionsGroup).Resources("replicasets").RuleOrDie(),
|
rbac.NewRule(Read...).Groups(appsGroup, extensionsGroup).Resources("replicasets").RuleOrDie(),
|
||||||
rbac.NewRule(Read...).Groups(appsGroup).Resources("statefulsets").RuleOrDie(),
|
rbac.NewRule(Read...).Groups(appsGroup).Resources("statefulsets").RuleOrDie(),
|
||||||
// things that pods use
|
// things that pods use
|
||||||
rbac.NewRule(Read...).Groups(legacyGroup).Resources("persistentvolumeclaims", "persistentvolumes").RuleOrDie(),
|
rbac.NewRule(Read...).Groups(legacyGroup).Resources("persistentvolumeclaims", "persistentvolumes").RuleOrDie(),
|
||||||
|
|||||||
@ -81,9 +81,12 @@ items:
|
|||||||
- apiGroups:
|
- apiGroups:
|
||||||
- apps
|
- apps
|
||||||
resources:
|
resources:
|
||||||
|
- daemonsets
|
||||||
- deployments
|
- deployments
|
||||||
- deployments/rollback
|
- deployments/rollback
|
||||||
- deployments/scale
|
- deployments/scale
|
||||||
|
- replicasets
|
||||||
|
- replicasets/scale
|
||||||
- statefulsets
|
- statefulsets
|
||||||
verbs:
|
verbs:
|
||||||
- create
|
- create
|
||||||
@ -275,9 +278,12 @@ items:
|
|||||||
- apiGroups:
|
- apiGroups:
|
||||||
- apps
|
- apps
|
||||||
resources:
|
resources:
|
||||||
|
- daemonsets
|
||||||
- deployments
|
- deployments
|
||||||
- deployments/rollback
|
- deployments/rollback
|
||||||
- deployments/scale
|
- deployments/scale
|
||||||
|
- replicasets
|
||||||
|
- replicasets/scale
|
||||||
- statefulsets
|
- statefulsets
|
||||||
verbs:
|
verbs:
|
||||||
- create
|
- create
|
||||||
@ -644,6 +650,7 @@ items:
|
|||||||
- list
|
- list
|
||||||
- watch
|
- watch
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
|
- apps
|
||||||
- extensions
|
- extensions
|
||||||
resources:
|
resources:
|
||||||
- replicasets
|
- replicasets
|
||||||
@ -971,8 +978,11 @@ items:
|
|||||||
- apiGroups:
|
- apiGroups:
|
||||||
- apps
|
- apps
|
||||||
resources:
|
resources:
|
||||||
|
- daemonsets
|
||||||
- deployments
|
- deployments
|
||||||
- deployments/scale
|
- deployments/scale
|
||||||
|
- replicasets
|
||||||
|
- replicasets/scale
|
||||||
- statefulsets
|
- statefulsets
|
||||||
verbs:
|
verbs:
|
||||||
- get
|
- get
|
||||||
|
|||||||
@ -255,6 +255,7 @@ items:
|
|||||||
verbs:
|
verbs:
|
||||||
- update
|
- update
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
|
- apps
|
||||||
- extensions
|
- extensions
|
||||||
resources:
|
resources:
|
||||||
- replicasets
|
- replicasets
|
||||||
@ -303,6 +304,7 @@ items:
|
|||||||
- list
|
- list
|
||||||
- watch
|
- watch
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
|
- apps
|
||||||
- extensions
|
- extensions
|
||||||
resources:
|
resources:
|
||||||
- replicasets
|
- replicasets
|
||||||
@ -765,6 +767,7 @@ items:
|
|||||||
name: system:controller:replicaset-controller
|
name: system:controller:replicaset-controller
|
||||||
rules:
|
rules:
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
|
- apps
|
||||||
- extensions
|
- extensions
|
||||||
resources:
|
resources:
|
||||||
- replicasets
|
- replicasets
|
||||||
@ -774,12 +777,14 @@ items:
|
|||||||
- update
|
- update
|
||||||
- watch
|
- watch
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
|
- apps
|
||||||
- extensions
|
- extensions
|
||||||
resources:
|
resources:
|
||||||
- replicasets/status
|
- replicasets/status
|
||||||
verbs:
|
verbs:
|
||||||
- update
|
- update
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
|
- apps
|
||||||
- extensions
|
- extensions
|
||||||
resources:
|
resources:
|
||||||
- replicasets/finalizers
|
- replicasets/finalizers
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user