From bda95a59adad71146104a61290957449d4d2a73d Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Mon, 9 Jan 2017 17:45:12 -0500 Subject: [PATCH 1/4] Allow node-controller to update node status --- .../rbac/bootstrappolicy/controller_policy.go | 6 ++++- .../testdata/controller-roles.yaml | 23 +++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go index 19f0632d3df..96828a7f3fd 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go @@ -166,7 +166,11 @@ func init() { addControllerRole(rbac.ClusterRole{ ObjectMeta: api.ObjectMeta{Name: saRolePrefix + "node-controller"}, Rules: []rbac.PolicyRule{ - rbac.NewRule("get", "list", "update").Groups(legacyGroup).Resources("nodes").RuleOrDie(), + rbac.NewRule("get", "list", "update", "delete").Groups(legacyGroup).Resources("nodes").RuleOrDie(), + rbac.NewRule("update").Groups(legacyGroup).Resources("nodes/status").RuleOrDie(), + // used for pod eviction + rbac.NewRule("update").Groups(legacyGroup).Resources("pods/status").RuleOrDie(), + rbac.NewRule("list", "delete").Groups(legacyGroup).Resources("pods").RuleOrDie(), eventsRule(), }, }) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml index add13f97bb7..362b8f87d94 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml @@ -533,9 +533,32 @@ items: resources: - nodes verbs: + - delete - get - list - update + - apiGroups: + - "" + attributeRestrictions: null + resources: + - nodes/status + verbs: + - update + - apiGroups: + - "" + attributeRestrictions: null + resources: + - pods/status + verbs: + - update + - apiGroups: + - "" + attributeRestrictions: null + resources: + - pods + verbs: + - delete + - list - apiGroups: - "" attributeRestrictions: null From c59c11eb0d0237f7780283b1832c729306a03392 Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Mon, 9 Jan 2017 22:59:06 -0500 Subject: [PATCH 2/4] fix role for pod-garbage-collector --- .../authorizer/rbac/bootstrappolicy/controller_policy.go | 2 +- .../bootstrappolicy/testdata/controller-role-bindings.yaml | 6 +++--- .../rbac/bootstrappolicy/testdata/controller-roles.yaml | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go index 96828a7f3fd..3e594de805e 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go @@ -192,7 +192,7 @@ func init() { }, }) addControllerRole(rbac.ClusterRole{ - ObjectMeta: api.ObjectMeta{Name: saRolePrefix + "pod-garbage-controller"}, + ObjectMeta: api.ObjectMeta{Name: saRolePrefix + "pod-garbage-collector"}, Rules: []rbac.PolicyRule{ rbac.NewRule("list", "watch", "delete").Groups(legacyGroup).Resources("pods").RuleOrDie(), rbac.NewRule("list").Groups(legacyGroup).Resources("nodes").RuleOrDie(), diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml index 4f477d0ff34..159e6c6065c 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml @@ -186,14 +186,14 @@ items: creationTimestamp: null labels: kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:pod-garbage-controller + name: system:controller:pod-garbage-collector roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: system:controller:pod-garbage-controller + name: system:controller:pod-garbage-collector subjects: - kind: ServiceAccount - name: pod-garbage-controller + name: pod-garbage-collector namespace: kube-system - apiVersion: rbac.authorization.k8s.io/v1alpha1 kind: ClusterRoleBinding diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml index 362b8f87d94..69630f83c9d 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml @@ -664,7 +664,7 @@ items: creationTimestamp: null labels: kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:pod-garbage-controller + name: system:controller:pod-garbage-collector rules: - apiGroups: - "" From 6d3b06125ebee49ae313e57351a3a62217660040 Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Mon, 9 Jan 2017 23:28:22 -0500 Subject: [PATCH 3/4] Allow the persistent volume binder to watch events --- .../authorizer/rbac/bootstrappolicy/controller_policy.go | 3 +++ .../rbac/bootstrappolicy/testdata/controller-roles.yaml | 7 +++++++ 2 files changed, 10 insertions(+) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go index 3e594de805e..9db4ac40e94 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go @@ -188,6 +188,9 @@ func init() { rbac.NewRule("get", "create", "delete").Groups(legacyGroup).Resources("services", "endpoints").RuleOrDie(), rbac.NewRule("get").Groups(legacyGroup).Resources("secrets").RuleOrDie(), + // recyclerClient.WatchPod + rbac.NewRule("watch").Groups(legacyGroup).Resources("events").RuleOrDie(), + eventsRule(), }, }) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml index 69630f83c9d..2ff78c64e60 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml @@ -649,6 +649,13 @@ items: - secrets verbs: - get + - apiGroups: + - "" + attributeRestrictions: null + resources: + - events + verbs: + - watch - apiGroups: - "" attributeRestrictions: null From c6550af7027867f2b776b5a79f1ae9db52a1d64f Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Mon, 9 Jan 2017 23:34:30 -0500 Subject: [PATCH 4/4] Allow proxier to write events --- .../pkg/auth/authorizer/rbac/bootstrappolicy/policy.go | 2 ++ .../rbac/bootstrappolicy/testdata/cluster-roles.yaml | 9 +++++++++ 2 files changed, 11 insertions(+) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go index a8d28ac58b3..f546da899c2 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go @@ -219,6 +219,8 @@ func ClusterRoles() []rbac.ClusterRole { // Used to build serviceLister rbac.NewRule("list", "watch").Groups(legacyGroup).Resources("services", "endpoints").RuleOrDie(), rbac.NewRule("get").Groups(legacyGroup).Resources("nodes").RuleOrDie(), + + eventsRule(), }, }, { diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml index c693b81fc7d..7121feeac30 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml @@ -621,6 +621,15 @@ items: - nodes verbs: - get + - apiGroups: + - "" + attributeRestrictions: null + resources: + - events + verbs: + - create + - patch + - update - apiVersion: rbac.authorization.k8s.io/v1alpha1 kind: ClusterRole metadata: