From 896bb932effab720f15cd5f55bee54567fd3f208 Mon Sep 17 00:00:00 2001 From: Mike Tougeron Date: Thu, 15 Apr 2021 11:02:26 -0700 Subject: [PATCH] Add endpointslices to default edit & view RBAC policies --- .../authorizer/rbac/bootstrappolicy/policy.go | 4 ++++ .../testdata/cluster-roles.yaml | 18 ++++++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go index a7779186043..7d456696faf 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go @@ -287,6 +287,8 @@ func ClusterRoles() []rbacv1.ClusterRole { rbacv1helpers.NewRule(Write...).Groups(legacyGroup).Resources("replicationcontrollers", "replicationcontrollers/scale", "serviceaccounts", "services", "services/proxy", "endpoints", "persistentvolumeclaims", "configmaps", "secrets").RuleOrDie(), + rbacv1helpers.NewRule(Write...).Groups(discoveryGroup).Resources("endpointslices").RuleOrDie(), + rbacv1helpers.NewRule(Write...).Groups(appsGroup).Resources( "statefulsets", "statefulsets/scale", "daemonsets", @@ -320,6 +322,8 @@ func ClusterRoles() []rbacv1.ClusterRole { // indicator of which namespaces you have access to. rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("namespaces").RuleOrDie(), + rbacv1helpers.NewRule(Read...).Groups(discoveryGroup).Resources("endpointslices").RuleOrDie(), + rbacv1helpers.NewRule(Read...).Groups(appsGroup).Resources( "controllerrevisions", "statefulsets", "statefulsets/status", "statefulsets/scale", diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml index 4fe18334ec7..9648ad8bbfe 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml @@ -142,6 +142,16 @@ items: - deletecollection - patch - update + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - create + - delete + - deletecollection + - patch + - update - apiGroups: - apps resources: @@ -271,6 +281,14 @@ items: - get - list - watch + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch - apiGroups: - apps resources: