Merge pull request #44645 from mikedanese/cm-get-secrets

Automatic merge from submit-queue (batch tested with PRs 44645, 44639, 43510) allow the token controller to get secrets we need this on secret rotation here: 2c1c0f3f72/pkg/controller/serviceaccount/tokens_controller.go (L478-L481) cc @liggitt
2025-07-24 12:15:52 +00:00 · 2017-04-18 23:22:00 -07:00 · 2017-04-18 23:22:00 -07:00 · 68131471a5
commit 68131471a5
parent fe44d1f5ce 32735173df
2 changed files with 4 additions and 2 deletions
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
@ -300,8 +300,8 @@ func ClusterRoles() []rbac.ClusterRole {
 				eventsRule(),
 				rbac.NewRule("create").Groups(legacyGroup).Resources("endpoints", "secrets", "serviceaccounts").RuleOrDie(),
 				rbac.NewRule("delete").Groups(legacyGroup).Resources("secrets").RuleOrDie(),
-				rbac.NewRule("get").Groups(legacyGroup).Resources("endpoints", "namespaces", "serviceaccounts").RuleOrDie(),
-				rbac.NewRule("update").Groups(legacyGroup).Resources("endpoints", "serviceaccounts").RuleOrDie(),
+				rbac.NewRule("get").Groups(legacyGroup).Resources("endpoints", "namespaces", "secrets", "serviceaccounts").RuleOrDie(),
+				rbac.NewRule("update").Groups(legacyGroup).Resources("endpoints", "secrets", "serviceaccounts").RuleOrDie(),
 				// Needed to check API access.  These creates are non-mutating
 				rbac.NewRule("create").Groups(authenticationGroup).Resources("tokenreviews").RuleOrDie(),

--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
@ -460,6 +460,7 @@ items:
    resources:
    - endpoints
    - namespaces
+    - secrets
    - serviceaccounts
    verbs:
    - get
@ -467,6 +468,7 @@ items:
    - ""
    resources:
    - endpoints
+    - secrets
    - serviceaccounts
    verbs:
    - update