diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go index 19f0632d3df..9db4ac40e94 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go @@ -166,7 +166,11 @@ func init() { addControllerRole(rbac.ClusterRole{ ObjectMeta: api.ObjectMeta{Name: saRolePrefix + "node-controller"}, Rules: []rbac.PolicyRule{ - rbac.NewRule("get", "list", "update").Groups(legacyGroup).Resources("nodes").RuleOrDie(), + rbac.NewRule("get", "list", "update", "delete").Groups(legacyGroup).Resources("nodes").RuleOrDie(), + rbac.NewRule("update").Groups(legacyGroup).Resources("nodes/status").RuleOrDie(), + // used for pod eviction + rbac.NewRule("update").Groups(legacyGroup).Resources("pods/status").RuleOrDie(), + rbac.NewRule("list", "delete").Groups(legacyGroup).Resources("pods").RuleOrDie(), eventsRule(), }, }) @@ -184,11 +188,14 @@ func init() { rbac.NewRule("get", "create", "delete").Groups(legacyGroup).Resources("services", "endpoints").RuleOrDie(), rbac.NewRule("get").Groups(legacyGroup).Resources("secrets").RuleOrDie(), + // recyclerClient.WatchPod + rbac.NewRule("watch").Groups(legacyGroup).Resources("events").RuleOrDie(), + eventsRule(), }, }) addControllerRole(rbac.ClusterRole{ - ObjectMeta: api.ObjectMeta{Name: saRolePrefix + "pod-garbage-controller"}, + ObjectMeta: api.ObjectMeta{Name: saRolePrefix + "pod-garbage-collector"}, Rules: []rbac.PolicyRule{ rbac.NewRule("list", "watch", "delete").Groups(legacyGroup).Resources("pods").RuleOrDie(), rbac.NewRule("list").Groups(legacyGroup).Resources("nodes").RuleOrDie(), diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go index 165dfa51910..ca0c5d921d7 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go @@ -219,6 +219,8 @@ func ClusterRoles() []rbac.ClusterRole { // Used to build serviceLister rbac.NewRule("list", "watch").Groups(legacyGroup).Resources("services", "endpoints").RuleOrDie(), rbac.NewRule("get").Groups(legacyGroup).Resources("nodes").RuleOrDie(), + + eventsRule(), }, }, { diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml index b0ad1b0d93c..305169c987a 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml @@ -621,6 +621,15 @@ items: - nodes verbs: - get + - apiGroups: + - "" + attributeRestrictions: null + resources: + - events + verbs: + - create + - patch + - update - apiVersion: rbac.authorization.k8s.io/v1alpha1 kind: ClusterRole metadata: diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml index 4f477d0ff34..159e6c6065c 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml @@ -186,14 +186,14 @@ items: creationTimestamp: null labels: kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:pod-garbage-controller + name: system:controller:pod-garbage-collector roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: system:controller:pod-garbage-controller + name: system:controller:pod-garbage-collector subjects: - kind: ServiceAccount - name: pod-garbage-controller + name: pod-garbage-collector namespace: kube-system - apiVersion: rbac.authorization.k8s.io/v1alpha1 kind: ClusterRoleBinding diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml index add13f97bb7..2ff78c64e60 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml @@ -533,9 +533,32 @@ items: resources: - nodes verbs: + - delete - get - list - update + - apiGroups: + - "" + attributeRestrictions: null + resources: + - nodes/status + verbs: + - update + - apiGroups: + - "" + attributeRestrictions: null + resources: + - pods/status + verbs: + - update + - apiGroups: + - "" + attributeRestrictions: null + resources: + - pods + verbs: + - delete + - list - apiGroups: - "" attributeRestrictions: null @@ -626,6 +649,13 @@ items: - secrets verbs: - get + - apiGroups: + - "" + attributeRestrictions: null + resources: + - events + verbs: + - watch - apiGroups: - "" attributeRestrictions: null @@ -641,7 +671,7 @@ items: creationTimestamp: null labels: kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:pod-garbage-controller + name: system:controller:pod-garbage-collector rules: - apiGroups: - ""