From 4aeb3f3ffe70ccf1e6e2788dfe66a5436ed91b74 Mon Sep 17 00:00:00 2001 From: deads2k Date: Mon, 12 Dec 2016 08:39:41 -0500 Subject: [PATCH] update pod RBAC roles to work against head --- .../authorizer/rbac/bootstrappolicy/policy.go | 2 +- .../rbac/bootstrappolicy/policy_test.go | 16 ++++ .../testdata/cluster-role-bindings.yaml | 78 +++++++++++++++++++ .../testdata/cluster-roles.yaml | 1 + 4 files changed, 96 insertions(+), 1 deletion(-) create mode 100644 plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go index 2d1b01704cd..dbaa9e80efa 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go @@ -184,7 +184,7 @@ func ClusterRoles() []rbac.ClusterRole { // TODO: restrict to creating a node with the same name they announce rbac.NewRule("create", "get", "list", "watch").Groups(legacyGroup).Resources("nodes").RuleOrDie(), // TODO: restrict to the bound node once supported - rbac.NewRule("update").Groups(legacyGroup).Resources("nodes/status").RuleOrDie(), + rbac.NewRule("update", "patch").Groups(legacyGroup).Resources("nodes/status").RuleOrDie(), // TODO: restrict to the bound node as creator once supported rbac.NewRule("create", "update", "patch").Groups(legacyGroup).Resources("events").RuleOrDie(), diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy_test.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy_test.go index 5d0ddd579b8..2623cc0e9cc 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy_test.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy_test.go @@ -167,6 +167,22 @@ func TestBootstrapClusterRoles(t *testing.T) { testObjects(t, list, "cluster-roles.yaml") } +func TestBootstrapClusterRoleBindings(t *testing.T) { + list := &api.List{} + names := sets.NewString() + roleBindings := map[string]runtime.Object{} + bootstrapRoleBindings := bootstrappolicy.ClusterRoleBindings() + for i := range bootstrapRoleBindings { + role := bootstrapRoleBindings[i] + names.Insert(role.Name) + roleBindings[role.Name] = &role + } + for _, name := range names.List() { + list.Items = append(list.Items, roleBindings[name]) + } + testObjects(t, list, "cluster-role-bindings.yaml") +} + func TestBootstrapControllerRoles(t *testing.T) { list := &api.List{} names := sets.NewString() diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml new file mode 100644 index 00000000000..5bb67c355fe --- /dev/null +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml @@ -0,0 +1,78 @@ +apiVersion: v1 +items: +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: cluster-admin + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin + subjects: + - kind: Group + name: system:masters +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:basic-user + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:basic-user + subjects: + - kind: Group + name: system:authenticated + - kind: Group + name: system:unauthenticated +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:discovery + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:discovery + subjects: + - kind: Group + name: system:authenticated + - kind: Group + name: system:unauthenticated +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:node + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:node + subjects: + - kind: Group + name: system:nodes +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:node-proxier + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:node-proxier + subjects: + - kind: Group + name: system:nodes +kind: List +metadata: {} diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml index 5562da1371d..6abb09efad8 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml @@ -436,6 +436,7 @@ items: resources: - nodes/status verbs: + - patch - update - apiGroups: - ""