github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-06 02:34:03 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #36538 from liggitt/bootstrap-roles

Browse Source 
Automatic merge from submit-queue (batch tested with PRs 36352, 36538, 37976, 36374)

Check in YAML versions of bootstrap roles/rolebindings

Allows auditing changes to bootstrap roles over time, preventing accidental changes, and gives a place for people to pull bootstrap roles to load directly
This commit is contained in:
Kubernetes Submit Queue 2016-12-05 11:08:44 -08:00 committed by GitHub
commit 45327221a4
7 changed files with 1631 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
pkg/apis/rbac/BUILD
View File

@ -26,6 +26,7 @@ go_library(
"//pkg/conversion:go_default_library", "//pkg/conversion:go_default_library",
"//pkg/runtime:go_default_library", "//pkg/runtime:go_default_library",
"//pkg/runtime/schema:go_default_library", "//pkg/runtime/schema:go_default_library",
"//pkg/util/sets:go_default_library",
"//pkg/watch/versioned:go_default_library", "//pkg/watch/versioned:go_default_library",
], ],
) )

17
pkg/apis/rbac/helpers.go
View File

@ -22,6 +22,7 @@ import (
"k8s.io/kubernetes/pkg/api" "k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/runtime/schema" "k8s.io/kubernetes/pkg/runtime/schema"
"k8s.io/kubernetes/pkg/util/sets"
) )
func RoleRefGroupKind(roleRef RoleRef) schema.GroupKind { func RoleRefGroupKind(roleRef RoleRef) schema.GroupKind {
@ -133,27 +134,27 @@ type PolicyRuleBuilder struct {
func NewRule(verbs ...string) *PolicyRuleBuilder { func NewRule(verbs ...string) *PolicyRuleBuilder {
return &PolicyRuleBuilder{ return &PolicyRuleBuilder{
PolicyRule: PolicyRule{Verbs: verbs}, PolicyRule: PolicyRule{Verbs: sets.NewString(verbs...).List()},
} }
} }
func (r *PolicyRuleBuilder) Groups(groups ...string) *PolicyRuleBuilder { func (r *PolicyRuleBuilder) Groups(groups ...string) *PolicyRuleBuilder {
r.PolicyRule.APIGroups = append(r.PolicyRule.APIGroups, groups...) r.PolicyRule.APIGroups = combine(r.PolicyRule.APIGroups, groups)
return r return r
} }
func (r *PolicyRuleBuilder) Resources(resources ...string) *PolicyRuleBuilder { func (r *PolicyRuleBuilder) Resources(resources ...string) *PolicyRuleBuilder {
r.PolicyRule.Resources = append(r.PolicyRule.Resources, resources...) r.PolicyRule.Resources = combine(r.PolicyRule.Resources, resources)
return r return r
} }
func (r *PolicyRuleBuilder) Names(names ...string) *PolicyRuleBuilder { func (r *PolicyRuleBuilder) Names(names ...string) *PolicyRuleBuilder {
r.PolicyRule.ResourceNames = append(r.PolicyRule.ResourceNames, names...) r.PolicyRule.ResourceNames = combine(r.PolicyRule.ResourceNames, names)
return r return r
} }
func (r *PolicyRuleBuilder) URLs(urls ...string) *PolicyRuleBuilder { func (r *PolicyRuleBuilder) URLs(urls ...string) *PolicyRuleBuilder {
r.PolicyRule.NonResourceURLs = append(r.PolicyRule.NonResourceURLs, urls...) r.PolicyRule.NonResourceURLs = combine(r.PolicyRule.NonResourceURLs, urls)
return r return r
} }
@ -165,6 +166,12 @@ func (r *PolicyRuleBuilder) RuleOrDie() PolicyRule {
return ret return ret
} }
func combine(s1, s2 []string) []string {
s := sets.NewString(s1...)
s.Insert(s2...)
return s.List()
}
func (r *PolicyRuleBuilder) Rule() (PolicyRule, error) { func (r *PolicyRuleBuilder) Rule() (PolicyRule, error) {
if len(r.PolicyRule.Verbs) == 0 { if len(r.PolicyRule.Verbs) == 0 {
return PolicyRule{}, fmt.Errorf("verbs are required: %#v", r.PolicyRule) return PolicyRule{}, fmt.Errorf("verbs are required: %#v", r.PolicyRule)

8
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/BUILD
View File

@ -30,10 +30,18 @@ go_test(
srcs = ["policy_test.go"], srcs = ["policy_test.go"],
tags = ["automanaged"], tags = ["automanaged"],
deps = [ deps = [
"//pkg/api:go_default_library",
"//pkg/api/install:go_default_library",
"//pkg/api/v1:go_default_library",
"//pkg/apis/rbac:go_default_library", "//pkg/apis/rbac:go_default_library",
"//pkg/apis/rbac/install:go_default_library",
"//pkg/apis/rbac/v1alpha1:go_default_library",
"//pkg/apis/rbac/validation:go_default_library", "//pkg/apis/rbac/validation:go_default_library",
"//pkg/runtime:go_default_library",
"//pkg/util/diff:go_default_library",
"//pkg/util/sets:go_default_library", "//pkg/util/sets:go_default_library",
"//plugin/pkg/auth/authorizer/rbac/bootstrappolicy:go_default_library", "//plugin/pkg/auth/authorizer/rbac/bootstrappolicy:go_default_library",
"//vendor:github.com/ghodss/yaml",
], ],
) )

97
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy_test.go
View File

@ -17,10 +17,22 @@ limitations under the License.
package bootstrappolicy_test package bootstrappolicy_test
import ( import (
"io/ioutil"
"os"
"path/filepath"
"testing" "testing"
"github.com/ghodss/yaml"
"k8s.io/kubernetes/pkg/api"
_ "k8s.io/kubernetes/pkg/api/install"
"k8s.io/kubernetes/pkg/api/v1"
rbac "k8s.io/kubernetes/pkg/apis/rbac" rbac "k8s.io/kubernetes/pkg/apis/rbac"
_ "k8s.io/kubernetes/pkg/apis/rbac/install"
rbacv1alpha1 "k8s.io/kubernetes/pkg/apis/rbac/v1alpha1"
rbacvalidation "k8s.io/kubernetes/pkg/apis/rbac/validation" rbacvalidation "k8s.io/kubernetes/pkg/apis/rbac/validation"
"k8s.io/kubernetes/pkg/runtime"
"k8s.io/kubernetes/pkg/util/diff"
"k8s.io/kubernetes/pkg/util/sets" "k8s.io/kubernetes/pkg/util/sets"
"k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy" "k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy"
) )
@ -136,3 +148,88 @@ func TestEditViewRelationship(t *testing.T) {
t.Errorf("view is missing rules for: %#v\nIf these are escalating powers, add them to the list. Otherwise, add them to the view role.", miss) t.Errorf("view is missing rules for: %#v\nIf these are escalating powers, add them to the list. Otherwise, add them to the view role.", miss)
} }
} }
func TestBootstrapClusterRoles(t *testing.T) {
list := &api.List{}
names := sets.NewString()
roles := map[string]runtime.Object{}
bootstrapRoles := bootstrappolicy.ClusterRoles()
for i := range bootstrapRoles {
role := bootstrapRoles[i]
names.Insert(role.Name)
roles[role.Name] = &role
}
for _, name := range names.List() {
list.Items = append(list.Items, roles[name])
}
testObjects(t, list, "cluster-roles.yaml")
}
func TestBootstrapControllerRoles(t *testing.T) {
list := &api.List{}
names := sets.NewString()
roles := map[string]runtime.Object{}
bootstrapRoles := bootstrappolicy.ControllerRoles()
for i := range bootstrapRoles {
role := bootstrapRoles[i]
names.Insert(role.Name)
roles[role.Name] = &role
}
for _, name := range names.List() {
list.Items = append(list.Items, roles[name])
}
testObjects(t, list, "controller-roles.yaml")
}
func TestBootstrapControllerRoleBindings(t *testing.T) {
list := &api.List{}
names := sets.NewString()
roleBindings := map[string]runtime.Object{}
bootstrapRoleBindings := bootstrappolicy.ControllerRoleBindings()
for i := range bootstrapRoleBindings {
roleBinding := bootstrapRoleBindings[i]
names.Insert(roleBinding.Name)
roleBindings[roleBinding.Name] = &roleBinding
}
for _, name := range names.List() {
list.Items = append(list.Items, roleBindings[name])
}
testObjects(t, list, "controller-role-bindings.yaml")
}
func testObjects(t *testing.T, list *api.List, fixtureFilename string) {
filename := filepath.Join("testdata", fixtureFilename)
expectedYAML, err := ioutil.ReadFile(filename)
if err != nil {
t.Fatal(err)
}
if err := runtime.EncodeList(api.Codecs.LegacyCodec(v1.SchemeGroupVersion, rbacv1alpha1.SchemeGroupVersion), list.Items); err != nil {
t.Fatal(err)
}
jsonData, err := runtime.Encode(api.Codecs.LegacyCodec(v1.SchemeGroupVersion, rbacv1alpha1.SchemeGroupVersion), list)
if err != nil {
t.Fatal(err)
}
yamlData, err := yaml.JSONToYAML(jsonData)
if err != nil {
t.Fatal(err)
}
if string(yamlData) != string(expectedYAML) {
t.Errorf("Bootstrap policy data does not match the test fixture in %s", filename)
const updateEnvVar = "UPDATE_BOOTSTRAP_POLICY_FIXTURE_DATA"
if os.Getenv(updateEnvVar) == "true" {
if err := ioutil.WriteFile(filename, []byte(yamlData), os.FileMode(0755)); err == nil {
t.Logf("Updated data in %s", filename)
t.Logf("Verify the diff, commit changes, and rerun the tests")
} else {
t.Logf("Could not update data in %s: %v", filename, err)
}
} else {
t.Logf("Diff between bootstrap data and fixture data in %s:\n-------------\n%s", filename, diff.StringDiff(string(yamlData), string(expectedYAML)))
t.Logf("If the change is expected, re-run with %s=true to update the fixtures", updateEnvVar)
}
}
}

592
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml vendored Normal file
View File

@ -0,0 +1,592 @@
apiVersion: v1
items:
- apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRole
metadata:
creationTimestamp: null
name: admin
rules:
- apiGroups:
- ""
attributeRestrictions: null
resources:
- pods
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
attributeRestrictions: null
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- replicationcontrollers
- replicationcontrollers/scale
- secrets
- serviceaccounts
- services
- services/proxy
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
attributeRestrictions: null
resources:
- bindings
- events
- limitranges
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
attributeRestrictions: null
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- ""
attributeRestrictions: null
resources:
- serviceaccounts
verbs:
- impersonate
- apiGroups:
- apps
attributeRestrictions: null
resources:
- statefulsets
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- autoscaling
attributeRestrictions: null
resources:
- horizontalpodautoscalers
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- batch
attributeRestrictions: null
resources:
- cronjobs
- jobs
- scheduledjobs
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- extensions
attributeRestrictions: null
resources:
- daemonsets
- deployments
- deployments/scale
- horizontalpodautoscalers
- jobs
- replicasets
- replicasets/scale
- replicationcontrollers/scale
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- authorization.k8s.io
attributeRestrictions: null
resources:
- localsubjectaccessreviews
verbs:
- create
- apiGroups:
- rbac.authorization.k8s.io
attributeRestrictions: null
resources:
- rolebindings
- roles
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRole
metadata:
creationTimestamp: null
name: cluster-admin
rules:
- apiGroups:
- '*'
attributeRestrictions: null
resources:
- '*'
verbs:
- '*'
- attributeRestrictions: null
nonResourceURLs:
- '*'
verbs:
- '*'
- apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRole
metadata:
creationTimestamp: null
name: edit
rules:
- apiGroups:
- ""
attributeRestrictions: null
resources:
- pods
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
attributeRestrictions: null
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- replicationcontrollers
- replicationcontrollers/scale
- secrets
- serviceaccounts
- services
- services/proxy
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
attributeRestrictions: null
resources:
- bindings
- events
- limitranges
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
attributeRestrictions: null
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- ""
attributeRestrictions: null
resources:
- serviceaccounts
verbs:
- impersonate
- apiGroups:
- apps
attributeRestrictions: null
resources:
- statefulsets
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- autoscaling
attributeRestrictions: null
resources:
- horizontalpodautoscalers
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- batch
attributeRestrictions: null
resources:
- cronjobs
- jobs
- scheduledjobs
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- extensions
attributeRestrictions: null
resources:
- daemonsets
- deployments
- deployments/scale
- horizontalpodautoscalers
- jobs
- replicasets
- replicasets/scale
- replicationcontrollers/scale
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRole
metadata:
creationTimestamp: null
name: system:auth-delegator
rules:
- apiGroups:
- authentication.k8s.io
attributeRestrictions: null
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
attributeRestrictions: null
resources:
- subjectaccessreviews
verbs:
- create
- apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRole
metadata:
creationTimestamp: null
name: system:basic-user
rules:
- apiGroups:
- authorization.k8s.io
attributeRestrictions: null
resources:
- selfsubjectaccessreviews
verbs:
- create
- apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRole
metadata:
creationTimestamp: null
name: system:discovery
rules:
- attributeRestrictions: null
nonResourceURLs:
- /api
- /api/*
- /apis
- /apis/*
- /version
verbs:
- get
- apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRole
metadata:
creationTimestamp: null
name: system:node
rules:
- apiGroups:
- authentication.k8s.io
attributeRestrictions: null
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
attributeRestrictions: null
resources:
- localsubjectaccessreviews
- subjectaccessreviews
verbs:
- create
- apiGroups:
- ""
attributeRestrictions: null
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- ""
attributeRestrictions: null
resources:
- nodes
verbs:
- create
- get
- list
- watch
- apiGroups:
- ""
attributeRestrictions: null
resources:
- nodes/status
verbs:
- update
- apiGroups:
- ""
attributeRestrictions: null
resources:
- events
verbs:
- create
- patch
- update
- apiGroups:
- ""
attributeRestrictions: null
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- ""
attributeRestrictions: null
resources:
- pods
verbs:
- create
- delete
- get
- apiGroups:
- ""
attributeRestrictions: null
resources:
- pods/status
verbs:
- update
- apiGroups:
- ""
attributeRestrictions: null
resources:
- configmaps
- secrets
verbs:
- get
- apiGroups:
- ""
attributeRestrictions: null
resources:
- persistentvolumeclaims
- persistentvolumes
verbs:
- get
- apiGroups:
- ""
attributeRestrictions: null
resources:
- endpoints
verbs:
- get
- apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRole
metadata:
creationTimestamp: null
name: system:node-proxier
rules:
- apiGroups:
- ""
attributeRestrictions: null
resources:
- endpoints
- services
verbs:
- list
- watch
- apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRole
metadata:
creationTimestamp: null
name: view
rules:
- apiGroups:
- ""
attributeRestrictions: null
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- pods
- replicationcontrollers
- replicationcontrollers/scale
- serviceaccounts
- services
verbs:
- get
- list
- watch
- apiGroups:
- ""
attributeRestrictions: null
resources:
- bindings
- events
- limitranges
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
attributeRestrictions: null
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- apps
attributeRestrictions: null
resources:
- statefulsets
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
attributeRestrictions: null
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- watch
- apiGroups:
- batch
attributeRestrictions: null
resources:
- cronjobs
- jobs
- scheduledjobs
verbs:
- get
- list
- watch
- apiGroups:
- extensions
attributeRestrictions: null
resources:
- daemonsets
- deployments
- deployments/scale
- horizontalpodautoscalers
- jobs
- replicasets
- replicasets/scale
- replicationcontrollers/scale
verbs:
- get
- list
- watch
kind: List
metadata: {}

199
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml vendored Normal file
View File

@ -0,0 +1,199 @@
apiVersion: v1
items:
- apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: system:controller:attachdetach-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:controller:attachdetach-controller
subjects:
- kind: ServiceAccount
name: attachdetach-controller
namespace: kube-system
- apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: system:controller:cronjob-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:controller:cronjob-controller
subjects:
- kind: ServiceAccount
name: cronjob-controller
namespace: kube-system
- apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: system:controller:daemon-set-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:controller:daemon-set-controller
subjects:
- kind: ServiceAccount
name: daemon-set-controller
namespace: kube-system
- apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: system:controller:deployment-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:controller:deployment-controller
subjects:
- kind: ServiceAccount
name: deployment-controller
namespace: kube-system
- apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: system:controller:disruption-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:controller:disruption-controller
subjects:
- kind: ServiceAccount
name: disruption-controller
namespace: kube-system
- apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: system:controller:endpoint-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:controller:endpoint-controller
subjects:
- kind: ServiceAccount
name: endpoint-controller
namespace: kube-system
- apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: system:controller:horizontal-pod-autoscaler
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:controller:horizontal-pod-autoscaler
subjects:
- kind: ServiceAccount
name: horizontal-pod-autoscaler
namespace: kube-system
- apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: system:controller:job-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:controller:job-controller
subjects:
- kind: ServiceAccount
name: job-controller
namespace: kube-system
- apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: system:controller:namespace-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:controller:namespace-controller
subjects:
- kind: ServiceAccount
name: namespace-controller
namespace: kube-system
- apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: system:controller:persistent-volume-binder
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:controller:persistent-volume-binder
subjects:
- kind: ServiceAccount
name: persistent-volume-binder
namespace: kube-system
- apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: system:controller:pod-garbage-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:controller:pod-garbage-controller
subjects:
- kind: ServiceAccount
name: pod-garbage-controller
namespace: kube-system
- apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: system:controller:replicaset-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:controller:replicaset-controller
subjects:
- kind: ServiceAccount
name: replicaset-controller
namespace: kube-system
- apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: system:controller:replication-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:controller:replication-controller
subjects:
- kind: ServiceAccount
name: replication-controller
namespace: kube-system
- apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: system:controller:service-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:controller:service-controller
subjects:
- kind: ServiceAccount
name: service-controller
namespace: kube-system
- apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRoleBinding
metadata:
creationTimestamp: null
name: system:controller:statefulset-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:controller:statefulset-controller
subjects:
- kind: ServiceAccount
name: statefulset-controller
namespace: kube-system
kind: List
metadata: {}

722
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml vendored Normal file
View File

@ -0,0 +1,722 @@
apiVersion: v1
items:
- apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRole
metadata:
creationTimestamp: null
name: system:controller:attachdetach-controller
rules:
- apiGroups:
- ""
attributeRestrictions: null
resources:
- persistentvolumeclaims
- persistentvolumes
verbs:
- list
- watch
- apiGroups:
- ""
attributeRestrictions: null
resources:
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- ""
attributeRestrictions: null
resources:
- nodes/status
verbs:
- patch
- update
- apiGroups:
- ""
attributeRestrictions: null
resources:
- pods
verbs:
- list
- watch
- apiGroups:
- ""
attributeRestrictions: null
resources:
- events
verbs:
- create
- patch
- update
- apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRole
metadata:
creationTimestamp: null
name: system:controller:cronjob-controller
rules:
- apiGroups:
- batch
attributeRestrictions: null
resources:
- cronjobs
verbs:
- get
- list
- update
- watch
- apiGroups:
- batch
attributeRestrictions: null
resources:
- jobs
verbs:
- create
- delete
- get
- list
- watch
- apiGroups:
- batch
attributeRestrictions: null
resources:
- cronjobs/status
verbs:
- update
- apiGroups:
- ""
attributeRestrictions: null
resources:
- events
verbs:
- create
- patch
- update
- apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRole
metadata:
creationTimestamp: null
name: system:controller:daemon-set-controller
rules:
- apiGroups:
- extensions
attributeRestrictions: null
resources:
- daemonsets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
attributeRestrictions: null
resources:
- daemonsets/status
verbs:
- update
- apiGroups:
- ""
attributeRestrictions: null
resources:
- nodes
verbs:
- list
- watch
- apiGroups:
- ""
attributeRestrictions: null
resources:
- pods
verbs:
- create
- delete
- list
- watch
- apiGroups:
- ""
attributeRestrictions: null
resources:
- pods/binding
verbs:
- create
- apiGroups:
- ""
attributeRestrictions: null
resources:
- events
verbs:
- create
- patch
- update
- apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRole
metadata:
creationTimestamp: null
name: system:controller:deployment-controller
rules:
- apiGroups:
- extensions
attributeRestrictions: null
resources:
- deployments
verbs:
- get
- list
- update
- watch
- apiGroups:
- extensions
attributeRestrictions: null
resources:
- deployments/status
verbs:
- update
- apiGroups:
- extensions
attributeRestrictions: null
resources:
- replicasets
verbs:
- create
- delete
- get
- list
- update
- watch
- apiGroups:
- ""
attributeRestrictions: null
resources:
- pods
verbs:
- get
- list
- update
- watch
- apiGroups:
- ""
attributeRestrictions: null
resources:
- events
verbs:
- create
- patch
- update
- apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRole
metadata:
creationTimestamp: null
name: system:controller:disruption-controller
rules:
- apiGroups:
- extensions
attributeRestrictions: null
resources:
- deployments
verbs:
- get
- list
- apiGroups:
- extensions
attributeRestrictions: null
resources:
- replicasets
verbs:
- get
- list
- apiGroups:
- ""
attributeRestrictions: null
resources:
- replicationcontrollers
verbs:
- get
- list
- apiGroups:
- policy
attributeRestrictions: null
resources:
- poddisruptionbudgets
verbs:
- get
- list
- watch
- apiGroups:
- policy
attributeRestrictions: null
resources:
- poddisruptionbudgets/status
verbs:
- update
- apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRole
metadata:
creationTimestamp: null
name: system:controller:endpoint-controller
rules:
- apiGroups:
- ""
attributeRestrictions: null
resources:
- pods
- services
verbs:
- get
- list
- watch
- apiGroups:
- ""
attributeRestrictions: null
resources:
- endpoints
verbs:
- create
- delete
- get
- list
- update
- apiGroups:
- ""
attributeRestrictions: null
resources:
- endpoints/restricted
verbs:
- create
- apiGroups:
- ""
attributeRestrictions: null
resources:
- events
verbs:
- create
- patch
- update
- apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRole
metadata:
creationTimestamp: null
name: system:controller:horizontal-pod-autoscaler
rules:
- apiGroups:
- autoscaling
- extensions
attributeRestrictions: null
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
- extensions
attributeRestrictions: null
resources:
- horizontalpodautoscalers/status
verbs:
- update
- apiGroups:
- ""
attributeRestrictions: null
resources:
- replicationcontrollers/scale
verbs:
- get
- update
- apiGroups:
- extensions
attributeRestrictions: null
resources:
- deployments/scale
- replicasets/scale
verbs:
- get
- update
- apiGroups:
- ""
attributeRestrictions: null
resources:
- pods
verbs:
- list
- apiGroups:
- ""
attributeRestrictions: null
resourceNames:
- 'https:heapster:'
resources:
- services
verbs:
- proxy
- apiGroups:
- ""
attributeRestrictions: null
resources:
- events
verbs:
- create
- patch
- update
- apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRole
metadata:
creationTimestamp: null
name: system:controller:job-controller
rules:
- apiGroups:
- batch
- extensions
attributeRestrictions: null
resources:
- jobs
verbs:
- get
- list
- update
- watch
- apiGroups:
- batch
- extensions
attributeRestrictions: null
resources:
- jobs/status
verbs:
- update
- apiGroups:
- ""
attributeRestrictions: null
resources:
- pods
verbs:
- create
- delete
- list
- watch
- apiGroups:
- ""
attributeRestrictions: null
resources:
- events
verbs:
- create
- patch
- update
- apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRole
metadata:
creationTimestamp: null
name: system:controller:namespace-controller
rules:
- apiGroups:
- ""
attributeRestrictions: null
resources:
- namespaces
verbs:
- delete
- get
- list
- watch
- apiGroups:
- ""
attributeRestrictions: null
resources:
- namespaces/finalize
- namespaces/status
verbs:
- update
- apiGroups:
- '*'
attributeRestrictions: null
resources:
- '*'
verbs:
- delete
- deletecollection
- get
- list
- apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRole
metadata:
creationTimestamp: null
name: system:controller:persistent-volume-binder
rules:
- apiGroups:
- ""
attributeRestrictions: null
resources:
- persistentvolumes
verbs:
- create
- delete
- get
- list
- update
- watch
- apiGroups:
- ""
attributeRestrictions: null
resources:
- persistentvolumes/status
verbs:
- update
- apiGroups:
- ""
attributeRestrictions: null
resources:
- persistentvolumeclaims
verbs:
- get
- list
- update
- watch
- apiGroups:
- ""
attributeRestrictions: null
resources:
- persistentvolumeclaims/status
verbs:
- update
- apiGroups:
- ""
attributeRestrictions: null
resources:
- pods
verbs:
- create
- delete
- get
- list
- watch
- apiGroups:
- storage.k8s.io
attributeRestrictions: null
resources:
- storageclasses
verbs:
- get
- list
- watch
- apiGroups:
- ""
attributeRestrictions: null
resources:
- endpoints
- services
verbs:
- create
- delete
- get
- apiGroups:
- ""
attributeRestrictions: null
resources:
- secrets
verbs:
- get
- apiGroups:
- ""
attributeRestrictions: null
resources:
- events
verbs:
- create
- patch
- update
- apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRole
metadata:
creationTimestamp: null
name: system:controller:pod-garbage-controller
rules:
- apiGroups:
- ""
attributeRestrictions: null
resources:
- pods
verbs:
- delete
- list
- watch
- apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRole
metadata:
creationTimestamp: null
name: system:controller:replicaset-controller
rules:
- apiGroups:
- extensions
attributeRestrictions: null
resources:
- replicasets
verbs:
- get
- list
- update
- watch
- apiGroups:
- extensions
attributeRestrictions: null
resources:
- replicasets/status
verbs:
- update
- apiGroups:
- ""
attributeRestrictions: null
resources:
- pods
verbs:
- create
- delete
- list
- watch
- apiGroups:
- ""
attributeRestrictions: null
resources:
- events
verbs:
- create
- patch
- update
- apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRole
metadata:
creationTimestamp: null
name: system:controller:replication-controller
rules:
- apiGroups:
- ""
attributeRestrictions: null
resources:
- replicationcontrollers
verbs:
- get
- list
- update
- watch
- apiGroups:
- ""
attributeRestrictions: null
resources:
- replicationcontrollers/status
verbs:
- update
- apiGroups:
- ""
attributeRestrictions: null
resources:
- pods
verbs:
- create
- delete
- list
- watch
- apiGroups:
- ""
attributeRestrictions: null
resources:
- events
verbs:
- create
- patch
- update
- apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRole
metadata:
creationTimestamp: null
name: system:controller:service-controller
rules:
- apiGroups:
- ""
attributeRestrictions: null
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- ""
attributeRestrictions: null
resources:
- services/status
verbs:
- update
- apiGroups:
- ""
attributeRestrictions: null
resources:
- nodes
verbs:
- list
- watch
- apiGroups:
- ""
attributeRestrictions: null
resources:
- events
verbs:
- create
- patch
- update
- apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRole
metadata:
creationTimestamp: null
name: system:controller:statefulset-controller
rules:
- apiGroups:
- ""
attributeRestrictions: null
resources:
- pods
verbs:
- list
- watch
- apiGroups:
- apps
attributeRestrictions: null
resources:
- statefulsets
verbs:
- get
- list
- watch
- apiGroups:
- apps
attributeRestrictions: null
resources:
- statefulsets/status
verbs:
- update
- apiGroups:
- ""
attributeRestrictions: null
resources:
- pods
verbs:
- create
- delete
- get
- update
- apiGroups:
- ""
attributeRestrictions: null
resources:
- persistentvolumeclaims
verbs:
- create
- get
- apiGroups:
- ""
attributeRestrictions: null
resources:
- events
verbs:
- create
- patch
- update
kind: List
metadata: {}