diff --git a/pkg/apis/rbac/BUILD b/pkg/apis/rbac/BUILD index f0ceda59a22..faf9211be58 100644 --- a/pkg/apis/rbac/BUILD +++ b/pkg/apis/rbac/BUILD @@ -26,6 +26,7 @@ go_library( "//pkg/conversion:go_default_library", "//pkg/runtime:go_default_library", "//pkg/runtime/schema:go_default_library", + "//pkg/util/sets:go_default_library", "//pkg/watch/versioned:go_default_library", ], ) diff --git a/pkg/apis/rbac/helpers.go b/pkg/apis/rbac/helpers.go index c73741b0471..e1048eb800d 100644 --- a/pkg/apis/rbac/helpers.go +++ b/pkg/apis/rbac/helpers.go @@ -22,6 +22,7 @@ import ( "k8s.io/kubernetes/pkg/api" "k8s.io/kubernetes/pkg/runtime/schema" + "k8s.io/kubernetes/pkg/util/sets" ) func RoleRefGroupKind(roleRef RoleRef) schema.GroupKind { @@ -133,27 +134,27 @@ type PolicyRuleBuilder struct { func NewRule(verbs ...string) *PolicyRuleBuilder { return &PolicyRuleBuilder{ - PolicyRule: PolicyRule{Verbs: verbs}, + PolicyRule: PolicyRule{Verbs: sets.NewString(verbs...).List()}, } } func (r *PolicyRuleBuilder) Groups(groups ...string) *PolicyRuleBuilder { - r.PolicyRule.APIGroups = append(r.PolicyRule.APIGroups, groups...) + r.PolicyRule.APIGroups = combine(r.PolicyRule.APIGroups, groups) return r } func (r *PolicyRuleBuilder) Resources(resources ...string) *PolicyRuleBuilder { - r.PolicyRule.Resources = append(r.PolicyRule.Resources, resources...) + r.PolicyRule.Resources = combine(r.PolicyRule.Resources, resources) return r } func (r *PolicyRuleBuilder) Names(names ...string) *PolicyRuleBuilder { - r.PolicyRule.ResourceNames = append(r.PolicyRule.ResourceNames, names...) + r.PolicyRule.ResourceNames = combine(r.PolicyRule.ResourceNames, names) return r } func (r *PolicyRuleBuilder) URLs(urls ...string) *PolicyRuleBuilder { - r.PolicyRule.NonResourceURLs = append(r.PolicyRule.NonResourceURLs, urls...) + r.PolicyRule.NonResourceURLs = combine(r.PolicyRule.NonResourceURLs, urls) return r } @@ -165,6 +166,12 @@ func (r *PolicyRuleBuilder) RuleOrDie() PolicyRule { return ret } +func combine(s1, s2 []string) []string { + s := sets.NewString(s1...) + s.Insert(s2...) + return s.List() +} + func (r *PolicyRuleBuilder) Rule() (PolicyRule, error) { if len(r.PolicyRule.Verbs) == 0 { return PolicyRule{}, fmt.Errorf("verbs are required: %#v", r.PolicyRule) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/BUILD b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/BUILD index 5dacb7d862c..9603a37f785 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/BUILD +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/BUILD @@ -30,10 +30,18 @@ go_test( srcs = ["policy_test.go"], tags = ["automanaged"], deps = [ + "//pkg/api:go_default_library", + "//pkg/api/install:go_default_library", + "//pkg/api/v1:go_default_library", "//pkg/apis/rbac:go_default_library", + "//pkg/apis/rbac/install:go_default_library", + "//pkg/apis/rbac/v1alpha1:go_default_library", "//pkg/apis/rbac/validation:go_default_library", + "//pkg/runtime:go_default_library", + "//pkg/util/diff:go_default_library", "//pkg/util/sets:go_default_library", "//plugin/pkg/auth/authorizer/rbac/bootstrappolicy:go_default_library", + "//vendor:github.com/ghodss/yaml", ], ) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy_test.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy_test.go index e4b98b9f06d..2de4bf8fca6 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy_test.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy_test.go @@ -17,10 +17,22 @@ limitations under the License. package bootstrappolicy_test import ( + "io/ioutil" + "os" + "path/filepath" "testing" + "github.com/ghodss/yaml" + + "k8s.io/kubernetes/pkg/api" + _ "k8s.io/kubernetes/pkg/api/install" + "k8s.io/kubernetes/pkg/api/v1" rbac "k8s.io/kubernetes/pkg/apis/rbac" + _ "k8s.io/kubernetes/pkg/apis/rbac/install" + rbacv1alpha1 "k8s.io/kubernetes/pkg/apis/rbac/v1alpha1" rbacvalidation "k8s.io/kubernetes/pkg/apis/rbac/validation" + "k8s.io/kubernetes/pkg/runtime" + "k8s.io/kubernetes/pkg/util/diff" "k8s.io/kubernetes/pkg/util/sets" "k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy" ) @@ -136,3 +148,88 @@ func TestEditViewRelationship(t *testing.T) { t.Errorf("view is missing rules for: %#v\nIf these are escalating powers, add them to the list. Otherwise, add them to the view role.", miss) } } + +func TestBootstrapClusterRoles(t *testing.T) { + list := &api.List{} + names := sets.NewString() + roles := map[string]runtime.Object{} + bootstrapRoles := bootstrappolicy.ClusterRoles() + for i := range bootstrapRoles { + role := bootstrapRoles[i] + names.Insert(role.Name) + roles[role.Name] = &role + } + for _, name := range names.List() { + list.Items = append(list.Items, roles[name]) + } + testObjects(t, list, "cluster-roles.yaml") +} + +func TestBootstrapControllerRoles(t *testing.T) { + list := &api.List{} + names := sets.NewString() + roles := map[string]runtime.Object{} + bootstrapRoles := bootstrappolicy.ControllerRoles() + for i := range bootstrapRoles { + role := bootstrapRoles[i] + names.Insert(role.Name) + roles[role.Name] = &role + } + for _, name := range names.List() { + list.Items = append(list.Items, roles[name]) + } + testObjects(t, list, "controller-roles.yaml") +} + +func TestBootstrapControllerRoleBindings(t *testing.T) { + list := &api.List{} + names := sets.NewString() + roleBindings := map[string]runtime.Object{} + bootstrapRoleBindings := bootstrappolicy.ControllerRoleBindings() + for i := range bootstrapRoleBindings { + roleBinding := bootstrapRoleBindings[i] + names.Insert(roleBinding.Name) + roleBindings[roleBinding.Name] = &roleBinding + } + for _, name := range names.List() { + list.Items = append(list.Items, roleBindings[name]) + } + testObjects(t, list, "controller-role-bindings.yaml") +} + +func testObjects(t *testing.T, list *api.List, fixtureFilename string) { + filename := filepath.Join("testdata", fixtureFilename) + expectedYAML, err := ioutil.ReadFile(filename) + if err != nil { + t.Fatal(err) + } + + if err := runtime.EncodeList(api.Codecs.LegacyCodec(v1.SchemeGroupVersion, rbacv1alpha1.SchemeGroupVersion), list.Items); err != nil { + t.Fatal(err) + } + + jsonData, err := runtime.Encode(api.Codecs.LegacyCodec(v1.SchemeGroupVersion, rbacv1alpha1.SchemeGroupVersion), list) + if err != nil { + t.Fatal(err) + } + yamlData, err := yaml.JSONToYAML(jsonData) + if err != nil { + t.Fatal(err) + } + if string(yamlData) != string(expectedYAML) { + t.Errorf("Bootstrap policy data does not match the test fixture in %s", filename) + + const updateEnvVar = "UPDATE_BOOTSTRAP_POLICY_FIXTURE_DATA" + if os.Getenv(updateEnvVar) == "true" { + if err := ioutil.WriteFile(filename, []byte(yamlData), os.FileMode(0755)); err == nil { + t.Logf("Updated data in %s", filename) + t.Logf("Verify the diff, commit changes, and rerun the tests") + } else { + t.Logf("Could not update data in %s: %v", filename, err) + } + } else { + t.Logf("Diff between bootstrap data and fixture data in %s:\n-------------\n%s", filename, diff.StringDiff(string(yamlData), string(expectedYAML))) + t.Logf("If the change is expected, re-run with %s=true to update the fixtures", updateEnvVar) + } + } +} diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml new file mode 100644 index 00000000000..2cebcba747d --- /dev/null +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml @@ -0,0 +1,592 @@ +apiVersion: v1 +items: +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRole + metadata: + creationTimestamp: null + name: admin + rules: + - apiGroups: + - "" + attributeRestrictions: null + resources: + - pods + - pods/attach + - pods/exec + - pods/portforward + - pods/proxy + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + attributeRestrictions: null + resources: + - configmaps + - endpoints + - persistentvolumeclaims + - replicationcontrollers + - replicationcontrollers/scale + - secrets + - serviceaccounts + - services + - services/proxy + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + attributeRestrictions: null + resources: + - bindings + - events + - limitranges + - namespaces/status + - pods/log + - pods/status + - replicationcontrollers/status + - resourcequotas + - resourcequotas/status + verbs: + - get + - list + - watch + - apiGroups: + - "" + attributeRestrictions: null + resources: + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - "" + attributeRestrictions: null + resources: + - serviceaccounts + verbs: + - impersonate + - apiGroups: + - apps + attributeRestrictions: null + resources: + - statefulsets + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - autoscaling + attributeRestrictions: null + resources: + - horizontalpodautoscalers + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - batch + attributeRestrictions: null + resources: + - cronjobs + - jobs + - scheduledjobs + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - extensions + attributeRestrictions: null + resources: + - daemonsets + - deployments + - deployments/scale + - horizontalpodautoscalers + - jobs + - replicasets + - replicasets/scale + - replicationcontrollers/scale + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - authorization.k8s.io + attributeRestrictions: null + resources: + - localsubjectaccessreviews + verbs: + - create + - apiGroups: + - rbac.authorization.k8s.io + attributeRestrictions: null + resources: + - rolebindings + - roles + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRole + metadata: + creationTimestamp: null + name: cluster-admin + rules: + - apiGroups: + - '*' + attributeRestrictions: null + resources: + - '*' + verbs: + - '*' + - attributeRestrictions: null + nonResourceURLs: + - '*' + verbs: + - '*' +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRole + metadata: + creationTimestamp: null + name: edit + rules: + - apiGroups: + - "" + attributeRestrictions: null + resources: + - pods + - pods/attach + - pods/exec + - pods/portforward + - pods/proxy + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + attributeRestrictions: null + resources: + - configmaps + - endpoints + - persistentvolumeclaims + - replicationcontrollers + - replicationcontrollers/scale + - secrets + - serviceaccounts + - services + - services/proxy + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + attributeRestrictions: null + resources: + - bindings + - events + - limitranges + - namespaces/status + - pods/log + - pods/status + - replicationcontrollers/status + - resourcequotas + - resourcequotas/status + verbs: + - get + - list + - watch + - apiGroups: + - "" + attributeRestrictions: null + resources: + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - "" + attributeRestrictions: null + resources: + - serviceaccounts + verbs: + - impersonate + - apiGroups: + - apps + attributeRestrictions: null + resources: + - statefulsets + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - autoscaling + attributeRestrictions: null + resources: + - horizontalpodautoscalers + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - batch + attributeRestrictions: null + resources: + - cronjobs + - jobs + - scheduledjobs + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - extensions + attributeRestrictions: null + resources: + - daemonsets + - deployments + - deployments/scale + - horizontalpodautoscalers + - jobs + - replicasets + - replicasets/scale + - replicationcontrollers/scale + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRole + metadata: + creationTimestamp: null + name: system:auth-delegator + rules: + - apiGroups: + - authentication.k8s.io + attributeRestrictions: null + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + attributeRestrictions: null + resources: + - subjectaccessreviews + verbs: + - create +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRole + metadata: + creationTimestamp: null + name: system:basic-user + rules: + - apiGroups: + - authorization.k8s.io + attributeRestrictions: null + resources: + - selfsubjectaccessreviews + verbs: + - create +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRole + metadata: + creationTimestamp: null + name: system:discovery + rules: + - attributeRestrictions: null + nonResourceURLs: + - /api + - /api/* + - /apis + - /apis/* + - /version + verbs: + - get +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRole + metadata: + creationTimestamp: null + name: system:node + rules: + - apiGroups: + - authentication.k8s.io + attributeRestrictions: null + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + attributeRestrictions: null + resources: + - localsubjectaccessreviews + - subjectaccessreviews + verbs: + - create + - apiGroups: + - "" + attributeRestrictions: null + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - "" + attributeRestrictions: null + resources: + - nodes + verbs: + - create + - get + - list + - watch + - apiGroups: + - "" + attributeRestrictions: null + resources: + - nodes/status + verbs: + - update + - apiGroups: + - "" + attributeRestrictions: null + resources: + - events + verbs: + - create + - patch + - update + - apiGroups: + - "" + attributeRestrictions: null + resources: + - pods + verbs: + - get + - list + - watch + - apiGroups: + - "" + attributeRestrictions: null + resources: + - pods + verbs: + - create + - delete + - get + - apiGroups: + - "" + attributeRestrictions: null + resources: + - pods/status + verbs: + - update + - apiGroups: + - "" + attributeRestrictions: null + resources: + - configmaps + - secrets + verbs: + - get + - apiGroups: + - "" + attributeRestrictions: null + resources: + - persistentvolumeclaims + - persistentvolumes + verbs: + - get + - apiGroups: + - "" + attributeRestrictions: null + resources: + - endpoints + verbs: + - get +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRole + metadata: + creationTimestamp: null + name: system:node-proxier + rules: + - apiGroups: + - "" + attributeRestrictions: null + resources: + - endpoints + - services + verbs: + - list + - watch +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRole + metadata: + creationTimestamp: null + name: view + rules: + - apiGroups: + - "" + attributeRestrictions: null + resources: + - configmaps + - endpoints + - persistentvolumeclaims + - pods + - replicationcontrollers + - replicationcontrollers/scale + - serviceaccounts + - services + verbs: + - get + - list + - watch + - apiGroups: + - "" + attributeRestrictions: null + resources: + - bindings + - events + - limitranges + - namespaces/status + - pods/log + - pods/status + - replicationcontrollers/status + - resourcequotas + - resourcequotas/status + verbs: + - get + - list + - watch + - apiGroups: + - "" + attributeRestrictions: null + resources: + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - apps + attributeRestrictions: null + resources: + - statefulsets + verbs: + - get + - list + - watch + - apiGroups: + - autoscaling + attributeRestrictions: null + resources: + - horizontalpodautoscalers + verbs: + - get + - list + - watch + - apiGroups: + - batch + attributeRestrictions: null + resources: + - cronjobs + - jobs + - scheduledjobs + verbs: + - get + - list + - watch + - apiGroups: + - extensions + attributeRestrictions: null + resources: + - daemonsets + - deployments + - deployments/scale + - horizontalpodautoscalers + - jobs + - replicasets + - replicasets/scale + - replicationcontrollers/scale + verbs: + - get + - list + - watch +kind: List +metadata: {} diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml new file mode 100644 index 00000000000..45bf22c2148 --- /dev/null +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml @@ -0,0 +1,199 @@ +apiVersion: v1 +items: +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + name: system:controller:attachdetach-controller + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:controller:attachdetach-controller + subjects: + - kind: ServiceAccount + name: attachdetach-controller + namespace: kube-system +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + name: system:controller:cronjob-controller + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:controller:cronjob-controller + subjects: + - kind: ServiceAccount + name: cronjob-controller + namespace: kube-system +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + name: system:controller:daemon-set-controller + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:controller:daemon-set-controller + subjects: + - kind: ServiceAccount + name: daemon-set-controller + namespace: kube-system +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + name: system:controller:deployment-controller + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:controller:deployment-controller + subjects: + - kind: ServiceAccount + name: deployment-controller + namespace: kube-system +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + name: system:controller:disruption-controller + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:controller:disruption-controller + subjects: + - kind: ServiceAccount + name: disruption-controller + namespace: kube-system +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + name: system:controller:endpoint-controller + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:controller:endpoint-controller + subjects: + - kind: ServiceAccount + name: endpoint-controller + namespace: kube-system +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + name: system:controller:horizontal-pod-autoscaler + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:controller:horizontal-pod-autoscaler + subjects: + - kind: ServiceAccount + name: horizontal-pod-autoscaler + namespace: kube-system +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + name: system:controller:job-controller + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:controller:job-controller + subjects: + - kind: ServiceAccount + name: job-controller + namespace: kube-system +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + name: system:controller:namespace-controller + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:controller:namespace-controller + subjects: + - kind: ServiceAccount + name: namespace-controller + namespace: kube-system +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + name: system:controller:persistent-volume-binder + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:controller:persistent-volume-binder + subjects: + - kind: ServiceAccount + name: persistent-volume-binder + namespace: kube-system +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + name: system:controller:pod-garbage-controller + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:controller:pod-garbage-controller + subjects: + - kind: ServiceAccount + name: pod-garbage-controller + namespace: kube-system +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + name: system:controller:replicaset-controller + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:controller:replicaset-controller + subjects: + - kind: ServiceAccount + name: replicaset-controller + namespace: kube-system +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + name: system:controller:replication-controller + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:controller:replication-controller + subjects: + - kind: ServiceAccount + name: replication-controller + namespace: kube-system +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + name: system:controller:service-controller + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:controller:service-controller + subjects: + - kind: ServiceAccount + name: service-controller + namespace: kube-system +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + name: system:controller:statefulset-controller + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:controller:statefulset-controller + subjects: + - kind: ServiceAccount + name: statefulset-controller + namespace: kube-system +kind: List +metadata: {} diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml new file mode 100644 index 00000000000..5cc27b5ed81 --- /dev/null +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml @@ -0,0 +1,722 @@ +apiVersion: v1 +items: +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRole + metadata: + creationTimestamp: null + name: system:controller:attachdetach-controller + rules: + - apiGroups: + - "" + attributeRestrictions: null + resources: + - persistentvolumeclaims + - persistentvolumes + verbs: + - list + - watch + - apiGroups: + - "" + attributeRestrictions: null + resources: + - nodes + verbs: + - get + - list + - watch + - apiGroups: + - "" + attributeRestrictions: null + resources: + - nodes/status + verbs: + - patch + - update + - apiGroups: + - "" + attributeRestrictions: null + resources: + - pods + verbs: + - list + - watch + - apiGroups: + - "" + attributeRestrictions: null + resources: + - events + verbs: + - create + - patch + - update +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRole + metadata: + creationTimestamp: null + name: system:controller:cronjob-controller + rules: + - apiGroups: + - batch + attributeRestrictions: null + resources: + - cronjobs + verbs: + - get + - list + - update + - watch + - apiGroups: + - batch + attributeRestrictions: null + resources: + - jobs + verbs: + - create + - delete + - get + - list + - watch + - apiGroups: + - batch + attributeRestrictions: null + resources: + - cronjobs/status + verbs: + - update + - apiGroups: + - "" + attributeRestrictions: null + resources: + - events + verbs: + - create + - patch + - update +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRole + metadata: + creationTimestamp: null + name: system:controller:daemon-set-controller + rules: + - apiGroups: + - extensions + attributeRestrictions: null + resources: + - daemonsets + verbs: + - get + - list + - watch + - apiGroups: + - extensions + attributeRestrictions: null + resources: + - daemonsets/status + verbs: + - update + - apiGroups: + - "" + attributeRestrictions: null + resources: + - nodes + verbs: + - list + - watch + - apiGroups: + - "" + attributeRestrictions: null + resources: + - pods + verbs: + - create + - delete + - list + - watch + - apiGroups: + - "" + attributeRestrictions: null + resources: + - pods/binding + verbs: + - create + - apiGroups: + - "" + attributeRestrictions: null + resources: + - events + verbs: + - create + - patch + - update +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRole + metadata: + creationTimestamp: null + name: system:controller:deployment-controller + rules: + - apiGroups: + - extensions + attributeRestrictions: null + resources: + - deployments + verbs: + - get + - list + - update + - watch + - apiGroups: + - extensions + attributeRestrictions: null + resources: + - deployments/status + verbs: + - update + - apiGroups: + - extensions + attributeRestrictions: null + resources: + - replicasets + verbs: + - create + - delete + - get + - list + - update + - watch + - apiGroups: + - "" + attributeRestrictions: null + resources: + - pods + verbs: + - get + - list + - update + - watch + - apiGroups: + - "" + attributeRestrictions: null + resources: + - events + verbs: + - create + - patch + - update +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRole + metadata: + creationTimestamp: null + name: system:controller:disruption-controller + rules: + - apiGroups: + - extensions + attributeRestrictions: null + resources: + - deployments + verbs: + - get + - list + - apiGroups: + - extensions + attributeRestrictions: null + resources: + - replicasets + verbs: + - get + - list + - apiGroups: + - "" + attributeRestrictions: null + resources: + - replicationcontrollers + verbs: + - get + - list + - apiGroups: + - policy + attributeRestrictions: null + resources: + - poddisruptionbudgets + verbs: + - get + - list + - watch + - apiGroups: + - policy + attributeRestrictions: null + resources: + - poddisruptionbudgets/status + verbs: + - update +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRole + metadata: + creationTimestamp: null + name: system:controller:endpoint-controller + rules: + - apiGroups: + - "" + attributeRestrictions: null + resources: + - pods + - services + verbs: + - get + - list + - watch + - apiGroups: + - "" + attributeRestrictions: null + resources: + - endpoints + verbs: + - create + - delete + - get + - list + - update + - apiGroups: + - "" + attributeRestrictions: null + resources: + - endpoints/restricted + verbs: + - create + - apiGroups: + - "" + attributeRestrictions: null + resources: + - events + verbs: + - create + - patch + - update +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRole + metadata: + creationTimestamp: null + name: system:controller:horizontal-pod-autoscaler + rules: + - apiGroups: + - autoscaling + - extensions + attributeRestrictions: null + resources: + - horizontalpodautoscalers + verbs: + - get + - list + - watch + - apiGroups: + - autoscaling + - extensions + attributeRestrictions: null + resources: + - horizontalpodautoscalers/status + verbs: + - update + - apiGroups: + - "" + attributeRestrictions: null + resources: + - replicationcontrollers/scale + verbs: + - get + - update + - apiGroups: + - extensions + attributeRestrictions: null + resources: + - deployments/scale + - replicasets/scale + verbs: + - get + - update + - apiGroups: + - "" + attributeRestrictions: null + resources: + - pods + verbs: + - list + - apiGroups: + - "" + attributeRestrictions: null + resourceNames: + - 'https:heapster:' + resources: + - services + verbs: + - proxy + - apiGroups: + - "" + attributeRestrictions: null + resources: + - events + verbs: + - create + - patch + - update +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRole + metadata: + creationTimestamp: null + name: system:controller:job-controller + rules: + - apiGroups: + - batch + - extensions + attributeRestrictions: null + resources: + - jobs + verbs: + - get + - list + - update + - watch + - apiGroups: + - batch + - extensions + attributeRestrictions: null + resources: + - jobs/status + verbs: + - update + - apiGroups: + - "" + attributeRestrictions: null + resources: + - pods + verbs: + - create + - delete + - list + - watch + - apiGroups: + - "" + attributeRestrictions: null + resources: + - events + verbs: + - create + - patch + - update +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRole + metadata: + creationTimestamp: null + name: system:controller:namespace-controller + rules: + - apiGroups: + - "" + attributeRestrictions: null + resources: + - namespaces + verbs: + - delete + - get + - list + - watch + - apiGroups: + - "" + attributeRestrictions: null + resources: + - namespaces/finalize + - namespaces/status + verbs: + - update + - apiGroups: + - '*' + attributeRestrictions: null + resources: + - '*' + verbs: + - delete + - deletecollection + - get + - list +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRole + metadata: + creationTimestamp: null + name: system:controller:persistent-volume-binder + rules: + - apiGroups: + - "" + attributeRestrictions: null + resources: + - persistentvolumes + verbs: + - create + - delete + - get + - list + - update + - watch + - apiGroups: + - "" + attributeRestrictions: null + resources: + - persistentvolumes/status + verbs: + - update + - apiGroups: + - "" + attributeRestrictions: null + resources: + - persistentvolumeclaims + verbs: + - get + - list + - update + - watch + - apiGroups: + - "" + attributeRestrictions: null + resources: + - persistentvolumeclaims/status + verbs: + - update + - apiGroups: + - "" + attributeRestrictions: null + resources: + - pods + verbs: + - create + - delete + - get + - list + - watch + - apiGroups: + - storage.k8s.io + attributeRestrictions: null + resources: + - storageclasses + verbs: + - get + - list + - watch + - apiGroups: + - "" + attributeRestrictions: null + resources: + - endpoints + - services + verbs: + - create + - delete + - get + - apiGroups: + - "" + attributeRestrictions: null + resources: + - secrets + verbs: + - get + - apiGroups: + - "" + attributeRestrictions: null + resources: + - events + verbs: + - create + - patch + - update +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRole + metadata: + creationTimestamp: null + name: system:controller:pod-garbage-controller + rules: + - apiGroups: + - "" + attributeRestrictions: null + resources: + - pods + verbs: + - delete + - list + - watch +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRole + metadata: + creationTimestamp: null + name: system:controller:replicaset-controller + rules: + - apiGroups: + - extensions + attributeRestrictions: null + resources: + - replicasets + verbs: + - get + - list + - update + - watch + - apiGroups: + - extensions + attributeRestrictions: null + resources: + - replicasets/status + verbs: + - update + - apiGroups: + - "" + attributeRestrictions: null + resources: + - pods + verbs: + - create + - delete + - list + - watch + - apiGroups: + - "" + attributeRestrictions: null + resources: + - events + verbs: + - create + - patch + - update +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRole + metadata: + creationTimestamp: null + name: system:controller:replication-controller + rules: + - apiGroups: + - "" + attributeRestrictions: null + resources: + - replicationcontrollers + verbs: + - get + - list + - update + - watch + - apiGroups: + - "" + attributeRestrictions: null + resources: + - replicationcontrollers/status + verbs: + - update + - apiGroups: + - "" + attributeRestrictions: null + resources: + - pods + verbs: + - create + - delete + - list + - watch + - apiGroups: + - "" + attributeRestrictions: null + resources: + - events + verbs: + - create + - patch + - update +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRole + metadata: + creationTimestamp: null + name: system:controller:service-controller + rules: + - apiGroups: + - "" + attributeRestrictions: null + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - "" + attributeRestrictions: null + resources: + - services/status + verbs: + - update + - apiGroups: + - "" + attributeRestrictions: null + resources: + - nodes + verbs: + - list + - watch + - apiGroups: + - "" + attributeRestrictions: null + resources: + - events + verbs: + - create + - patch + - update +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRole + metadata: + creationTimestamp: null + name: system:controller:statefulset-controller + rules: + - apiGroups: + - "" + attributeRestrictions: null + resources: + - pods + verbs: + - list + - watch + - apiGroups: + - apps + attributeRestrictions: null + resources: + - statefulsets + verbs: + - get + - list + - watch + - apiGroups: + - apps + attributeRestrictions: null + resources: + - statefulsets/status + verbs: + - update + - apiGroups: + - "" + attributeRestrictions: null + resources: + - pods + verbs: + - create + - delete + - get + - update + - apiGroups: + - "" + attributeRestrictions: null + resources: + - persistentvolumeclaims + verbs: + - create + - get + - apiGroups: + - "" + attributeRestrictions: null + resources: + - events + verbs: + - create + - patch + - update +kind: List +metadata: {}