From 4a067cc022e29ccea901ddcf9e911a0797e69743 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20Skocze=C5=84?= Date: Mon, 27 Oct 2025 12:52:53 +0000 Subject: [PATCH] Add read Workload permissions to kube-scheduler --- plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go | 4 ++++ .../testdata/cluster-roles-featuregates.yaml | 8 ++++++++ 2 files changed, 12 insertions(+) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go index cc879f432c7..79e643257a9 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go @@ -66,6 +66,7 @@ const ( internalAPIServerGroup = "internal.apiserver.k8s.io" admissionRegistrationGroup = "admissionregistration.k8s.io" storageVersionMigrationGroup = "storagemigration.k8s.io" + schedulingGroup = "scheduling.k8s.io" ) func addDefaultMetadata(obj runtime.Object) { @@ -649,6 +650,9 @@ func ClusterRoles() []rbacv1.ClusterRole { kubeSchedulerRules = append(kubeSchedulerRules, rbacv1helpers.NewRule(Read...).Groups(resourceGroup).Resources("devicetaintrules").RuleOrDie()) } } + if utilfeature.DefaultFeatureGate.Enabled(features.GenericWorkload) { + kubeSchedulerRules = append(kubeSchedulerRules, rbacv1helpers.NewRule(Read...).Groups(schedulingGroup).Resources("workloads").RuleOrDie()) + } roles = append(roles, rbacv1.ClusterRole{ // a role to use for the kube-scheduler ObjectMeta: metav1.ObjectMeta{Name: "system:kube-scheduler"}, diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles-featuregates.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles-featuregates.yaml index e67bc0a313e..3365e89836e 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles-featuregates.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles-featuregates.yaml @@ -976,6 +976,14 @@ items: - get - list - watch + - apiGroups: + - scheduling.k8s.io + resources: + - workloads + verbs: + - get + - list + - watch - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: