Merge pull request #39544 from foxish/fix-rbac-disruption

Automatic merge from submit-queue (batch tested with PRs 39544, 39552, 39553) Allow disruption controller to read statefulsets **What this PR does / why we need it**: Disruption controller was unable to list/watch statefulsets when RBAC is enabled because it wasn't granted permission. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes https://github.com/kubernetes/kubernetes/issues/39541 cc @mwielgus
2025-07-24 20:24:09 +00:00 · 2017-01-06 17:03:07 -08:00 · 2017-01-06 17:03:07 -08:00 · 8a4f367cf3
commit 8a4f367cf3
parent 0bbb49d2d5 a8a65022b4
2 changed files with 10 additions and 0 deletions
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
@ -108,6 +108,7 @@ func init() {
 			rbac.NewRule("get", "list", "watch").Groups(extensionsGroup).Resources("replicasets").RuleOrDie(),
 			rbac.NewRule("get", "list", "watch").Groups(legacyGroup).Resources("replicationcontrollers").RuleOrDie(),
 			rbac.NewRule("get", "list", "watch").Groups(policyGroup).Resources("poddisruptionbudgets").RuleOrDie(),
+			rbac.NewRule("get", "list", "watch").Groups(appsGroup).Resources("statefulsets").RuleOrDie(),
 			rbac.NewRule("update").Groups(policyGroup).Resources("poddisruptionbudgets/status").RuleOrDie(),
 			eventsRule(),
 		},
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml
@ -263,6 +263,15 @@ items:
    - get
    - list
    - watch
+  - apiGroups:
+    - apps
+    attributeRestrictions: null
+    resources:
+    - statefulsets
+    verbs:
+    - get
+    - list
+    - watch
  - apiGroups:
    - policy
    attributeRestrictions: null