Merge pull request #62146 from frodenas/fix-dsc-rbac

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Fix daemon-set-controller bootstrap RBAC policy

**What this PR does / why we need it**: 

Adds a `get` permission for the `controllerrevisions` resource to the `daemon-set-controller` cluster role.

**Which issue(s) this PR fixes** :

Fixes #62145

**Special notes for your reviewer**:

The daemon-sets controller [constructs the history](https://github.com/kubernetes/kubernetes/blob/release-1.9/pkg/controller/daemon/daemon_controller.go#L1116) of the daemon-set, so it needs to [check the controller revisions](https://github.com/kubernetes/kubernetes/blob/release-1.9/pkg/controller/daemon/update.go#L265) for the daemon-set app. See issue above.

**Release note**:

```release-note
Resolves forbidden error when the `daemon-set-controller` cluster role access `controllerrevisions` resources.
```

plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go

@@ -105,7 +105,7 @@ func buildControllerRoles() ([]rbac.ClusterRole, []rbac.ClusterRoleBinding) {
 			rbac.NewRule("list", "watch").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
 			rbac.NewRule("list", "watch", "create", "delete", "patch").Groups(legacyGroup).Resources("pods").RuleOrDie(),
 			rbac.NewRule("create").Groups(legacyGroup).Resources("pods/binding").RuleOrDie(),
-			rbac.NewRule("list", "watch", "create", "delete", "update", "patch").Groups(appsGroup).Resources("controllerrevisions").RuleOrDie(),
+			rbac.NewRule("get", "list", "watch", "create", "delete", "update", "patch").Groups(appsGroup).Resources("controllerrevisions").RuleOrDie(),
 			eventsRule(),
 		},
 	})

plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml

@@ -239,6 +239,7 @@ items:
     verbs:
     - create
     - delete
+    - get
     - list
     - patch
     - update