github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-22 03:11:40 +00:00
Code Issues Projects Releases Wiki Activity

Revert "authz: nodes should not be able to delete themselves"

Browse Source 
This reverts commit 35de82094a.
This commit is contained in:
Jordan Liggitt 2018-05-11 09:37:21 -04:00
parent b617748f7b
commit 736f5e2349
No known key found for this signature in database
GPG Key ID: 39928704103C7229
3 changed files with 4 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
View File

@ -105,7 +105,7 @@ func NodeRules() []rbac.PolicyRule {
// Use the NodeRestriction admission plugin to limit a node to creating/updating its own API object. // Use the NodeRestriction admission plugin to limit a node to creating/updating its own API object.
rbac.NewRule("create", "get", "list", "watch").Groups(legacyGroup).Resources("nodes").RuleOrDie(), rbac.NewRule("create", "get", "list", "watch").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
rbac.NewRule("update", "patch").Groups(legacyGroup).Resources("nodes/status").RuleOrDie(), rbac.NewRule("update", "patch").Groups(legacyGroup).Resources("nodes/status").RuleOrDie(),
rbac.NewRule("update", "patch").Groups(legacyGroup).Resources("nodes").RuleOrDie(), rbac.NewRule("update", "patch", "delete").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
// TODO: restrict to the bound node as creator in the NodeRestrictions admission plugin // TODO: restrict to the bound node as creator in the NodeRestrictions admission plugin
rbac.NewRule("create", "update", "patch").Groups(legacyGroup).Resources("events").RuleOrDie(), rbac.NewRule("create", "update", "patch").Groups(legacyGroup).Resources("events").RuleOrDie(),

1
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml vendored
View File

@ -1067,6 +1067,7 @@ items:
resources: resources:
- nodes - nodes
verbs: verbs:
- delete
- patch - patch
- update - update
- apiGroups: - apiGroups:

7
test/integration/auth/node_test.go
View File

@ -419,8 +419,7 @@ func TestNodeAuthorizer(t *testing.T) {
expectAllowed(t, createNode2MirrorPodEviction(node2Client)) expectAllowed(t, createNode2MirrorPodEviction(node2Client))
expectAllowed(t, createNode2(node2Client)) expectAllowed(t, createNode2(node2Client))
expectAllowed(t, updateNode2Status(node2Client)) expectAllowed(t, updateNode2Status(node2Client))
// cleanup node expectAllowed(t, deleteNode2(node2Client))
expectAllowed(t, deleteNode2(superuserClient))
// create a pod as an admin to add object references // create a pod as an admin to add object references
expectAllowed(t, createNode2NormalPod(superuserClient)) expectAllowed(t, createNode2NormalPod(superuserClient))
@ -510,10 +509,8 @@ func TestNodeAuthorizer(t *testing.T) {
expectAllowed(t, unsetNode2ConfigSource(superuserClient)) expectAllowed(t, unsetNode2ConfigSource(superuserClient))
// node2 can no longer get the configmap after it is unassigned as its config source // node2 can no longer get the configmap after it is unassigned as its config source
expectForbidden(t, getConfigMapConfigSource(node2Client)) expectForbidden(t, getConfigMapConfigSource(node2Client))
// node should not be able to delete itself
expectForbidden(t, deleteNode2(node2Client))
// clean up node2 // clean up node2
expectAllowed(t, deleteNode2(superuserClient)) expectAllowed(t, deleteNode2(node2Client))
//TODO(mikedanese): integration test node restriction of TokenRequest //TODO(mikedanese): integration test node restriction of TokenRequest
} }