Merge pull request #39383 from liggitt/bind-check

Automatic merge from submit-queue (batch tested with PRs 39694, 39383, 39651, 39691, 39497) Allow rolebinding/clusterrolebinding with explicit bind permission check Fixes https://github.com/kubernetes/kubernetes/issues/39176 Fixes https://github.com/kubernetes/kubernetes/issues/39258 Allows creating/updating a rolebinding/clusterrolebinding if the user has explicitly been granted permission to perform the "bind" verb against the referenced role/clusterrole (previously, they could only bind if they already had all the permissions in the referenced role via an RBAC role themselves) ```release-note To create or update an RBAC RoleBinding or ClusterRoleBinding object, a user must: 1. Be authorized to make the create or update API request 2. Be allowed to bind the referenced role, either by already having all of the permissions contained in the referenced role, or by having the "bind" permission on the referenced role. ```
2025-10-22 15:09:39 +00:00 · 2017-01-10 21:25:13 -08:00
parent bb7d07a33d a2670d3b9d
commit 3f2a02cf98
11 changed files with 160 additions and 12 deletions
--- a/cluster/addons/e2e-rbac-bindings/e2e-user-binding.yaml
+++ b/cluster/addons/e2e-rbac-bindings/e2e-user-binding.yaml
@@ -1,6 +1,6 @@
 # This is the main user for the e2e tests.  This is ok to leave long term
 # since the first user in the test can reasonably be high power
-# its kubecfg in gce and kubekins in gke
+# its kubecfg in gce
 # TODO consider provisioning each test its namespace and giving it an
 # admin user.  This still has to exist, but e2e wouldn't normally use it
 apiVersion: rbac.authorization.k8s.io/v1alpha1
@@ -17,6 +17,3 @@ subjects:
 - apiVersion: rbac/v1alpha1
  kind: User
  name: kubecfg
- apiVersion: rbac/v1alpha1
-  kind: User
-  name: kubekins@kubernetes-jenkins.iam.gserviceaccount.com