Merge pull request #81199 from liggitt/narrow-aggregation-permissions

Use the escalate verb for clusterroleaggregator rather than cluster-admin permissions
2025-07-29 14:37:00 +00:00 · 2019-08-13 19:36:37 -07:00 · 2019-08-13 19:36:37 -07:00 · 77c9e98198
commit 77c9e98198
parent 1e82e1ca1f 8b155e82d8
2 changed files with 10 additions and 10 deletions
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
@ -85,9 +85,8 @@ func buildControllerRoles() ([]rbacv1.ClusterRole, []rbacv1.ClusterRoleBinding)
 	addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
 		ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "clusterrole-aggregation-controller"},
 		Rules: []rbacv1.PolicyRule{
-			// this controller must have full permissions to allow it to mutate any role in any way
+			// this controller must have full permissions on clusterroles to allow it to mutate them in any way
-			rbacv1helpers.NewRule("*").Groups("*").Resources("*").RuleOrDie(),
+			rbacv1helpers.NewRule("escalate", "get", "list", "watch", "update", "patch").Groups(rbacGroup).Resources("clusterroles").RuleOrDie(),
 			rbacv1helpers.NewRule("*").URLs("*").RuleOrDie(),
 		},
 	})
 	addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml
@ -119,15 +119,16 @@ items:
    name: system:controller:clusterrole-aggregation-controller
  rules:
  - apiGroups:
-    - '*'
+    - rbac.authorization.k8s.io
    resources:
-    - '*'
+    - clusterroles
    verbs:
-    - '*'
+    - escalate
-  - nonResourceURLs:
+    - get
-    - '*'
+    - list
-    verbs:
+    - patch
-    - '*'
+    - update
    - watch
 - apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRole
  metadata: