From 5e9da75df2289bcc9fd2fe883d99e6271b9bb57c Mon Sep 17 00:00:00 2001 From: Kirill Shirinkin Date: Fri, 26 Jul 2019 20:59:22 +0200 Subject: [PATCH] Allow aggregate-to-view roles to get jobs status (#77866) * Allow aggregate-to-edit roles to get jobs status Right now users/accounts with role `admin` or `edit` can create, update and delete jobs, but are not allowed to pull the status of a job that they create. This change extends `aggregate-to-edit` rules to include `jobs/status`. * Move jobs/status to aggregate-to-view rules * Add aggregate-to-view policy to view PVCs status * Update fixtures to include new read permissions * Add more status subresources * Update cluster-roles.yaml * Re-order deployment permissions * Run go fmt * Add more permissions * Fix tests * Re-order permissions in test data * Automatically update yamls --- .../authorizer/rbac/bootstrappolicy/policy.go | 22 +++++++++---------- .../testdata/cluster-roles.yaml | 15 +++++++++++++ 2 files changed, 26 insertions(+), 11 deletions(-) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go index 3229fe245ea..2f9bcb8ad75 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go @@ -300,7 +300,7 @@ func ClusterRoles() []rbacv1.ClusterRole { ObjectMeta: metav1.ObjectMeta{Name: "system:aggregate-to-view", Labels: map[string]string{"rbac.authorization.k8s.io/aggregate-to-view": "true"}}, Rules: []rbacv1.PolicyRule{ rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("pods", "replicationcontrollers", "replicationcontrollers/scale", "serviceaccounts", - "services", "endpoints", "persistentvolumeclaims", "configmaps").RuleOrDie(), + "services", "services/status", "endpoints", "persistentvolumeclaims", "persistentvolumeclaims/status", "configmaps").RuleOrDie(), rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("limitranges", "resourcequotas", "bindings", "events", "pods/status", "resourcequotas/status", "namespaces/status", "replicationcontrollers/status", "pods/log").RuleOrDie(), // read access to namespaces at the namespace scope means you can read *this* namespace. This can be used as an @@ -309,22 +309,22 @@ func ClusterRoles() []rbacv1.ClusterRole { rbacv1helpers.NewRule(Read...).Groups(appsGroup).Resources( "controllerrevisions", - "statefulsets", "statefulsets/scale", - "daemonsets", - "deployments", "deployments/scale", - "replicasets", "replicasets/scale").RuleOrDie(), + "statefulsets", "statefulsets/status", "statefulsets/scale", + "daemonsets", "daemonsets/status", + "deployments", "deployments/status", "deployments/scale", + "replicasets", "replicasets/status", "replicasets/scale").RuleOrDie(), - rbacv1helpers.NewRule(Read...).Groups(autoscalingGroup).Resources("horizontalpodautoscalers").RuleOrDie(), + rbacv1helpers.NewRule(Read...).Groups(autoscalingGroup).Resources("horizontalpodautoscalers", "horizontalpodautoscalers/status").RuleOrDie(), - rbacv1helpers.NewRule(Read...).Groups(batchGroup).Resources("jobs", "cronjobs").RuleOrDie(), + rbacv1helpers.NewRule(Read...).Groups(batchGroup).Resources("jobs", "cronjobs", "cronjobs/status", "jobs/status").RuleOrDie(), - rbacv1helpers.NewRule(Read...).Groups(extensionsGroup).Resources("daemonsets", "deployments", "deployments/scale", - "ingresses", "replicasets", "replicasets/scale", "replicationcontrollers/scale", + rbacv1helpers.NewRule(Read...).Groups(extensionsGroup).Resources("daemonsets", "daemonsets/status", "deployments", "deployments/scale", "deployments/status", + "ingresses", "ingresses/status", "replicasets", "replicasets/scale", "replicasets/status", "replicationcontrollers/scale", "networkpolicies").RuleOrDie(), - rbacv1helpers.NewRule(Read...).Groups(policyGroup).Resources("poddisruptionbudgets").RuleOrDie(), + rbacv1helpers.NewRule(Read...).Groups(policyGroup).Resources("poddisruptionbudgets", "poddisruptionbudgets/status").RuleOrDie(), - rbacv1helpers.NewRule(Read...).Groups(networkingGroup).Resources("networkpolicies", "ingresses").RuleOrDie(), + rbacv1helpers.NewRule(Read...).Groups(networkingGroup).Resources("networkpolicies", "ingresses", "ingresses/status").RuleOrDie(), }, }, { diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml index e3fd054bd5a..0ec6f82df57 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml @@ -236,11 +236,13 @@ items: - configmaps - endpoints - persistentvolumeclaims + - persistentvolumeclaims/status - pods - replicationcontrollers - replicationcontrollers/scale - serviceaccounts - services + - services/status verbs: - get - list @@ -274,12 +276,16 @@ items: resources: - controllerrevisions - daemonsets + - daemonsets/status - deployments - deployments/scale + - deployments/status - replicasets - replicasets/scale + - replicasets/status - statefulsets - statefulsets/scale + - statefulsets/status verbs: - get - list @@ -288,6 +294,7 @@ items: - autoscaling resources: - horizontalpodautoscalers + - horizontalpodautoscalers/status verbs: - get - list @@ -296,7 +303,9 @@ items: - batch resources: - cronjobs + - cronjobs/status - jobs + - jobs/status verbs: - get - list @@ -305,12 +314,16 @@ items: - extensions resources: - daemonsets + - daemonsets/status - deployments - deployments/scale + - deployments/status - ingresses + - ingresses/status - networkpolicies - replicasets - replicasets/scale + - replicasets/status - replicationcontrollers/scale verbs: - get @@ -320,6 +333,7 @@ items: - policy resources: - poddisruptionbudgets + - poddisruptionbudgets/status verbs: - get - list @@ -328,6 +342,7 @@ items: - networking.k8s.io resources: - ingresses + - ingresses/status - networkpolicies verbs: - get