From 4b6a3439a36d63e0e0cdbf0c3edfb4c38aae2fe6 Mon Sep 17 00:00:00 2001
From: NickrenREN <renyuquan@caicloud.io>
Date: Fri, 26 Jan 2018 15:20:51 +0800
Subject: [PATCH] Add policy for pv protection controller

---
 .../authorizer/rbac/bootstrappolicy/controller_policy.go | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
index 29cae666fd6..6bac0fa5a01 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
@@ -334,6 +334,15 @@ func buildControllerRoles() ([]rbac.ClusterRole, []rbac.ClusterRoleBinding) {
 			},
 		})
 	}
+	if utilfeature.DefaultFeatureGate.Enabled(features.StorageProtection) {
+		addControllerRole(&controllerRoles, &controllerRoleBindings, rbac.ClusterRole{
+			ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "pv-protection-controller"},
+			Rules: []rbac.PolicyRule{
+				rbac.NewRule("get", "list", "watch", "update").Groups(legacyGroup).Resources("persistentvolumes").RuleOrDie(),
+				eventsRule(),
+			},
+		})
+	}
 
 	return controllerRoles, controllerRoleBindings
 }