Merge pull request #56095 from ericchiang/rbac-bootstrap-self-subject-rules-review

Automatic merge from submit-queue (batch tested with PRs 55112, 56029, 55740, 56095, 55845). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. rbac bootstrap policy: add selfsubjectrulesreviews to basic-user cc @kubernetes/sig-auth-pr-reviews Extracted from #53324, which wont be merged for 1.9. ```release-note The RBAC bootstrapping policy now allows authenticated users to create selfsubjectrulesreviews. ``` /assign @deads2k
2025-07-30 15:05:27 +00:00 · 2017-11-20 21:03:47 -08:00 · 2017-11-20 21:03:47 -08:00 · 678bad5170
commit 678bad5170
parent ccc81b2f42 21ab4d0c9b
2 changed files with 2 additions and 1 deletions
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
@ -169,7 +169,7 @@ func ClusterRoles() []rbac.ClusterRole {
 			ObjectMeta: metav1.ObjectMeta{Name: "system:basic-user"},
 			Rules: []rbac.PolicyRule{
 				// TODO add future selfsubjectrulesreview, project request APIs, project listing APIs
-				rbac.NewRule("create").Groups(authorizationGroup).Resources("selfsubjectaccessreviews").RuleOrDie(),
+				rbac.NewRule("create").Groups(authorizationGroup).Resources("selfsubjectaccessreviews", "selfsubjectrulesreviews").RuleOrDie(),
 			},
 		},

--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
@ -522,6 +522,7 @@ items:
    - authorization.k8s.io
    resources:
    - selfsubjectaccessreviews
+    - selfsubjectrulesreviews
    verbs:
    - create
 - apiVersion: rbac.authorization.k8s.io/v1