From cfbe5f1891fa11f153c89e7a4239e84238a86440 Mon Sep 17 00:00:00 2001 From: Jan Safranek Date: Fri, 16 Apr 2021 11:01:13 +0200 Subject: [PATCH] Fix RBAC of generic ephemeral volumes controller The controller must be able to "update" finalizers of all pods to make OwnerReferencesPermissionEnforcement admission plugin happy. --- .../authorizer/rbac/bootstrappolicy/controller_policy.go | 1 + .../rbac/bootstrappolicy/testdata/controller-roles.yaml | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go index 63f4d3055c8..3cd6390a02c 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go @@ -198,6 +198,7 @@ func buildControllerRoles() ([]rbacv1.ClusterRole, []rbacv1.ClusterRoleBinding) ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "ephemeral-volume-controller"}, Rules: []rbacv1.PolicyRule{ rbacv1helpers.NewRule("get", "list", "watch").Groups(legacyGroup).Resources("pods").RuleOrDie(), + rbacv1helpers.NewRule("update").Groups(legacyGroup).Resources("pods/finalizers").RuleOrDie(), rbacv1helpers.NewRule("get", "list", "watch", "create").Groups(legacyGroup).Resources("persistentvolumeclaims").RuleOrDie(), eventsRule(), }, diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml index d61759d07ae..3baa1d50902 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml @@ -587,6 +587,12 @@ items: - get - list - watch + - apiGroups: + - "" + resources: + - pods/finalizers + verbs: + - update - apiGroups: - "" resources: