mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-21 10:51:29 +00:00
Allow aggregate-to-view roles to get jobs status (#77866)
* Allow aggregate-to-edit roles to get jobs status Right now users/accounts with role `admin` or `edit` can create, update and delete jobs, but are not allowed to pull the status of a job that they create. This change extends `aggregate-to-edit` rules to include `jobs/status`. * Move jobs/status to aggregate-to-view rules * Add aggregate-to-view policy to view PVCs status * Update fixtures to include new read permissions * Add more status subresources * Update cluster-roles.yaml * Re-order deployment permissions * Run go fmt * Add more permissions * Fix tests * Re-order permissions in test data * Automatically update yamls
This commit is contained in:
Kirill Shirinkin
Kubernetes Prow Robot
parent
2c2ca27bfc
commit
5e9da75df2
@ -300,7 +300,7 @@ func ClusterRoles() []rbacv1.ClusterRole {
|
|||||||
ObjectMeta: metav1.ObjectMeta{Name: "system:aggregate-to-view", Labels: map[string]string{"rbac.authorization.k8s.io/aggregate-to-view": "true"}},
|
ObjectMeta: metav1.ObjectMeta{Name: "system:aggregate-to-view", Labels: map[string]string{"rbac.authorization.k8s.io/aggregate-to-view": "true"}},
|
||||||
Rules: []rbacv1.PolicyRule{
|
Rules: []rbacv1.PolicyRule{
|
||||||
rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("pods", "replicationcontrollers", "replicationcontrollers/scale", "serviceaccounts",
|
rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("pods", "replicationcontrollers", "replicationcontrollers/scale", "serviceaccounts",
|
||||||
"services", "endpoints", "persistentvolumeclaims", "configmaps").RuleOrDie(),
|
"services", "services/status", "endpoints", "persistentvolumeclaims", "persistentvolumeclaims/status", "configmaps").RuleOrDie(),
|
||||||
rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("limitranges", "resourcequotas", "bindings", "events",
|
rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("limitranges", "resourcequotas", "bindings", "events",
|
||||||
"pods/status", "resourcequotas/status", "namespaces/status", "replicationcontrollers/status", "pods/log").RuleOrDie(),
|
"pods/status", "resourcequotas/status", "namespaces/status", "replicationcontrollers/status", "pods/log").RuleOrDie(),
|
||||||
// read access to namespaces at the namespace scope means you can read *this* namespace. This can be used as an
|
// read access to namespaces at the namespace scope means you can read *this* namespace. This can be used as an
|
||||||
@ -309,22 +309,22 @@ func ClusterRoles() []rbacv1.ClusterRole {
|
|||||||
|
|
||||||
rbacv1helpers.NewRule(Read...).Groups(appsGroup).Resources(
|
rbacv1helpers.NewRule(Read...).Groups(appsGroup).Resources(
|
||||||
"controllerrevisions",
|
"controllerrevisions",
|
||||||
"statefulsets", "statefulsets/scale",
|
"statefulsets", "statefulsets/status", "statefulsets/scale",
|
||||||
"daemonsets",
|
"daemonsets", "daemonsets/status",
|
||||||
"deployments", "deployments/scale",
|
"deployments", "deployments/status", "deployments/scale",
|
||||||
"replicasets", "replicasets/scale").RuleOrDie(),
|
"replicasets", "replicasets/status", "replicasets/scale").RuleOrDie(),
|
||||||
|
|
||||||
rbacv1helpers.NewRule(Read...).Groups(autoscalingGroup).Resources("horizontalpodautoscalers").RuleOrDie(),
|
rbacv1helpers.NewRule(Read...).Groups(autoscalingGroup).Resources("horizontalpodautoscalers", "horizontalpodautoscalers/status").RuleOrDie(),
|
||||||
|
|
||||||
rbacv1helpers.NewRule(Read...).Groups(batchGroup).Resources("jobs", "cronjobs").RuleOrDie(),
|
rbacv1helpers.NewRule(Read...).Groups(batchGroup).Resources("jobs", "cronjobs", "cronjobs/status", "jobs/status").RuleOrDie(),
|
||||||
|
|
||||||
rbacv1helpers.NewRule(Read...).Groups(extensionsGroup).Resources("daemonsets", "deployments", "deployments/scale",
|
rbacv1helpers.NewRule(Read...).Groups(extensionsGroup).Resources("daemonsets", "daemonsets/status", "deployments", "deployments/scale", "deployments/status",
|
||||||
"ingresses", "replicasets", "replicasets/scale", "replicationcontrollers/scale",
|
"ingresses", "ingresses/status", "replicasets", "replicasets/scale", "replicasets/status", "replicationcontrollers/scale",
|
||||||
"networkpolicies").RuleOrDie(),
|
"networkpolicies").RuleOrDie(),
|
||||||
|
|
||||||
rbacv1helpers.NewRule(Read...).Groups(policyGroup).Resources("poddisruptionbudgets").RuleOrDie(),
|
rbacv1helpers.NewRule(Read...).Groups(policyGroup).Resources("poddisruptionbudgets", "poddisruptionbudgets/status").RuleOrDie(),
|
||||||
|
|
||||||
rbacv1helpers.NewRule(Read...).Groups(networkingGroup).Resources("networkpolicies", "ingresses").RuleOrDie(),
|
rbacv1helpers.NewRule(Read...).Groups(networkingGroup).Resources("networkpolicies", "ingresses", "ingresses/status").RuleOrDie(),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
|||||||
@ -236,11 +236,13 @@ items:
|
|||||||
- configmaps
|
- configmaps
|
||||||
- endpoints
|
- endpoints
|
||||||
- persistentvolumeclaims
|
- persistentvolumeclaims
|
||||||
|
- persistentvolumeclaims/status
|
||||||
- pods
|
- pods
|
||||||
- replicationcontrollers
|
- replicationcontrollers
|
||||||
- replicationcontrollers/scale
|
- replicationcontrollers/scale
|
||||||
- serviceaccounts
|
- serviceaccounts
|
||||||
- services
|
- services
|
||||||
|
- services/status
|
||||||
verbs:
|
verbs:
|
||||||
- get
|
- get
|
||||||
- list
|
- list
|
||||||
@ -274,12 +276,16 @@ items:
|
|||||||
resources:
|
resources:
|
||||||
- controllerrevisions
|
- controllerrevisions
|
||||||
- daemonsets
|
- daemonsets
|
||||||
|
- daemonsets/status
|
||||||
- deployments
|
- deployments
|
||||||
- deployments/scale
|
- deployments/scale
|
||||||
|
- deployments/status
|
||||||
- replicasets
|
- replicasets
|
||||||
- replicasets/scale
|
- replicasets/scale
|
||||||
|
- replicasets/status
|
||||||
- statefulsets
|
- statefulsets
|
||||||
- statefulsets/scale
|
- statefulsets/scale
|
||||||
|
- statefulsets/status
|
||||||
verbs:
|
verbs:
|
||||||
- get
|
- get
|
||||||
- list
|
- list
|
||||||
@ -288,6 +294,7 @@ items:
|
|||||||
- autoscaling
|
- autoscaling
|
||||||
resources:
|
resources:
|
||||||
- horizontalpodautoscalers
|
- horizontalpodautoscalers
|
||||||
|
- horizontalpodautoscalers/status
|
||||||
verbs:
|
verbs:
|
||||||
- get
|
- get
|
||||||
- list
|
- list
|
||||||
@ -296,7 +303,9 @@ items:
|
|||||||
- batch
|
- batch
|
||||||
resources:
|
resources:
|
||||||
- cronjobs
|
- cronjobs
|
||||||
|
- cronjobs/status
|
||||||
- jobs
|
- jobs
|
||||||
|
- jobs/status
|
||||||
verbs:
|
verbs:
|
||||||
- get
|
- get
|
||||||
- list
|
- list
|
||||||
@ -305,12 +314,16 @@ items:
|
|||||||
- extensions
|
- extensions
|
||||||
resources:
|
resources:
|
||||||
- daemonsets
|
- daemonsets
|
||||||
|
- daemonsets/status
|
||||||
- deployments
|
- deployments
|
||||||
- deployments/scale
|
- deployments/scale
|
||||||
|
- deployments/status
|
||||||
- ingresses
|
- ingresses
|
||||||
|
- ingresses/status
|
||||||
- networkpolicies
|
- networkpolicies
|
||||||
- replicasets
|
- replicasets
|
||||||
- replicasets/scale
|
- replicasets/scale
|
||||||
|
- replicasets/status
|
||||||
- replicationcontrollers/scale
|
- replicationcontrollers/scale
|
||||||
verbs:
|
verbs:
|
||||||
- get
|
- get
|
||||||
@ -320,6 +333,7 @@ items:
|
|||||||
- policy
|
- policy
|
||||||
resources:
|
resources:
|
||||||
- poddisruptionbudgets
|
- poddisruptionbudgets
|
||||||
|
- poddisruptionbudgets/status
|
||||||
verbs:
|
verbs:
|
||||||
- get
|
- get
|
||||||
- list
|
- list
|
||||||
@ -328,6 +342,7 @@ items:
|
|||||||
- networking.k8s.io
|
- networking.k8s.io
|
||||||
resources:
|
resources:
|
||||||
- ingresses
|
- ingresses
|
||||||
|
- ingresses/status
|
||||||
- networkpolicies
|
- networkpolicies
|
||||||
verbs:
|
verbs:
|
||||||
- get
|
- get
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user