Allow aggregate-to-view roles to get jobs status (#77866)

* Allow aggregate-to-edit roles to get jobs status Right now users/accounts with role `admin` or `edit` can create, update and delete jobs, but are not allowed to pull the status of a job that they create. This change extends `aggregate-to-edit` rules to include `jobs/status`. * Move jobs/status to aggregate-to-view rules * Add aggregate-to-view policy to view PVCs status * Update fixtures to include new read permissions * Add more status subresources * Update cluster-roles.yaml * Re-order deployment permissions * Run go fmt * Add more permissions * Fix tests * Re-order permissions in test data * Automatically update yamls
2025-07-21 02:41:25 +00:00 · 2019-07-26 20:59:22 +02:00 · 2019-07-26 20:59:22 +02:00 · 5e9da75df2
commit 5e9da75df2
parent 2c2ca27bfc
2 changed files with 26 additions and 11 deletions
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
@ -300,7 +300,7 @@ func ClusterRoles() []rbacv1.ClusterRole {
 			ObjectMeta: metav1.ObjectMeta{Name: "system:aggregate-to-view", Labels: map[string]string{"rbac.authorization.k8s.io/aggregate-to-view": "true"}},
 			Rules: []rbacv1.PolicyRule{
 				rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("pods", "replicationcontrollers", "replicationcontrollers/scale", "serviceaccounts",
-					"services", "endpoints", "persistentvolumeclaims", "configmaps").RuleOrDie(),
+					"services", "services/status", "endpoints", "persistentvolumeclaims", "persistentvolumeclaims/status", "configmaps").RuleOrDie(),
 				rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("limitranges", "resourcequotas", "bindings", "events",
 					"pods/status", "resourcequotas/status", "namespaces/status", "replicationcontrollers/status", "pods/log").RuleOrDie(),
 				// read access to namespaces at the namespace scope means you can read *this* namespace.  This can be used as an
@ -309,22 +309,22 @@ func ClusterRoles() []rbacv1.ClusterRole {

 				rbacv1helpers.NewRule(Read...).Groups(appsGroup).Resources(
 					"controllerrevisions",
-					"statefulsets", "statefulsets/scale",
-					"daemonsets",
-					"deployments", "deployments/scale",
-					"replicasets", "replicasets/scale").RuleOrDie(),
+					"statefulsets", "statefulsets/status", "statefulsets/scale",
+					"daemonsets", "daemonsets/status",
+					"deployments", "deployments/status", "deployments/scale",
+					"replicasets", "replicasets/status", "replicasets/scale").RuleOrDie(),

-				rbacv1helpers.NewRule(Read...).Groups(autoscalingGroup).Resources("horizontalpodautoscalers").RuleOrDie(),
+				rbacv1helpers.NewRule(Read...).Groups(autoscalingGroup).Resources("horizontalpodautoscalers", "horizontalpodautoscalers/status").RuleOrDie(),

-				rbacv1helpers.NewRule(Read...).Groups(batchGroup).Resources("jobs", "cronjobs").RuleOrDie(),
+				rbacv1helpers.NewRule(Read...).Groups(batchGroup).Resources("jobs", "cronjobs", "cronjobs/status", "jobs/status").RuleOrDie(),

-				rbacv1helpers.NewRule(Read...).Groups(extensionsGroup).Resources("daemonsets", "deployments", "deployments/scale",
-					"ingresses", "replicasets", "replicasets/scale", "replicationcontrollers/scale",
+				rbacv1helpers.NewRule(Read...).Groups(extensionsGroup).Resources("daemonsets", "daemonsets/status", "deployments", "deployments/scale", "deployments/status",
+					"ingresses", "ingresses/status", "replicasets", "replicasets/scale", "replicasets/status", "replicationcontrollers/scale",
 					"networkpolicies").RuleOrDie(),

-				rbacv1helpers.NewRule(Read...).Groups(policyGroup).Resources("poddisruptionbudgets").RuleOrDie(),
+				rbacv1helpers.NewRule(Read...).Groups(policyGroup).Resources("poddisruptionbudgets", "poddisruptionbudgets/status").RuleOrDie(),

-				rbacv1helpers.NewRule(Read...).Groups(networkingGroup).Resources("networkpolicies", "ingresses").RuleOrDie(),
+				rbacv1helpers.NewRule(Read...).Groups(networkingGroup).Resources("networkpolicies", "ingresses", "ingresses/status").RuleOrDie(),
 			},
 		},
 		{
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
@ -236,11 +236,13 @@ items:
    - configmaps
    - endpoints
    - persistentvolumeclaims
+    - persistentvolumeclaims/status
    - pods
    - replicationcontrollers
    - replicationcontrollers/scale
    - serviceaccounts
    - services
+    - services/status
    verbs:
    - get
    - list
@ -274,12 +276,16 @@ items:
    resources:
    - controllerrevisions
    - daemonsets
+    - daemonsets/status
    - deployments
    - deployments/scale
+    - deployments/status
    - replicasets
    - replicasets/scale
+    - replicasets/status
    - statefulsets
    - statefulsets/scale
+    - statefulsets/status
    verbs:
    - get
    - list
@ -288,6 +294,7 @@ items:
    - autoscaling
    resources:
    - horizontalpodautoscalers
+    - horizontalpodautoscalers/status
    verbs:
    - get
    - list
@ -296,7 +303,9 @@ items:
    - batch
    resources:
    - cronjobs
+    - cronjobs/status
    - jobs
+    - jobs/status
    verbs:
    - get
    - list
@ -305,12 +314,16 @@ items:
    - extensions
    resources:
    - daemonsets
+    - daemonsets/status
    - deployments
    - deployments/scale
+    - deployments/status
    - ingresses
+    - ingresses/status
    - networkpolicies
    - replicasets
    - replicasets/scale
+    - replicasets/status
    - replicationcontrollers/scale
    verbs:
    - get
@ -320,6 +333,7 @@ items:
    - policy
    resources:
    - poddisruptionbudgets
+    - poddisruptionbudgets/status
    verbs:
    - get
    - list
@ -328,6 +342,7 @@ items:
    - networking.k8s.io
    resources:
    - ingresses
+    - ingresses/status
    - networkpolicies
    verbs:
    - get