From 736f5e2349ede92d35f8f2588d31175fd97533e0 Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Fri, 11 May 2018 09:37:21 -0400 Subject: [PATCH] Revert "authz: nodes should not be able to delete themselves" This reverts commit 35de82094ac81713dd34c3f03d0e95d604731f61. --- plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go | 2 +- .../rbac/bootstrappolicy/testdata/cluster-roles.yaml | 1 + test/integration/auth/node_test.go | 7 ++----- 3 files changed, 4 insertions(+), 6 deletions(-) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go index db8132bd34e..98a899f7ba3 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go @@ -105,7 +105,7 @@ func NodeRules() []rbac.PolicyRule { // Use the NodeRestriction admission plugin to limit a node to creating/updating its own API object. rbac.NewRule("create", "get", "list", "watch").Groups(legacyGroup).Resources("nodes").RuleOrDie(), rbac.NewRule("update", "patch").Groups(legacyGroup).Resources("nodes/status").RuleOrDie(), - rbac.NewRule("update", "patch").Groups(legacyGroup).Resources("nodes").RuleOrDie(), + rbac.NewRule("update", "patch", "delete").Groups(legacyGroup).Resources("nodes").RuleOrDie(), // TODO: restrict to the bound node as creator in the NodeRestrictions admission plugin rbac.NewRule("create", "update", "patch").Groups(legacyGroup).Resources("events").RuleOrDie(), diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml index df2e3e8d3bb..76d6089399b 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml @@ -1067,6 +1067,7 @@ items: resources: - nodes verbs: + - delete - patch - update - apiGroups: diff --git a/test/integration/auth/node_test.go b/test/integration/auth/node_test.go index 1840b058799..a8d58adef19 100644 --- a/test/integration/auth/node_test.go +++ b/test/integration/auth/node_test.go @@ -419,8 +419,7 @@ func TestNodeAuthorizer(t *testing.T) { expectAllowed(t, createNode2MirrorPodEviction(node2Client)) expectAllowed(t, createNode2(node2Client)) expectAllowed(t, updateNode2Status(node2Client)) - // cleanup node - expectAllowed(t, deleteNode2(superuserClient)) + expectAllowed(t, deleteNode2(node2Client)) // create a pod as an admin to add object references expectAllowed(t, createNode2NormalPod(superuserClient)) @@ -510,10 +509,8 @@ func TestNodeAuthorizer(t *testing.T) { expectAllowed(t, unsetNode2ConfigSource(superuserClient)) // node2 can no longer get the configmap after it is unassigned as its config source expectForbidden(t, getConfigMapConfigSource(node2Client)) - // node should not be able to delete itself - expectForbidden(t, deleteNode2(node2Client)) // clean up node2 - expectAllowed(t, deleteNode2(superuserClient)) + expectAllowed(t, deleteNode2(node2Client)) //TODO(mikedanese): integration test node restriction of TokenRequest }