diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go index db44a08c62c..a4a03243ee5 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go @@ -186,11 +186,10 @@ func buildControllerRoles() ([]rbacv1.ClusterRole, []rbacv1.ClusterRoleBinding) rbacv1helpers.NewRule("get", "list", "watch", "update", "patch").Groups(legacyGroup).Resources("persistentvolumes").RuleOrDie(), rbacv1helpers.NewRule("update", "patch").Groups(legacyGroup).Resources("persistentvolumeclaims/status").RuleOrDie(), rbacv1helpers.NewRule("get", "list", "watch").Groups(legacyGroup).Resources("persistentvolumeclaims").RuleOrDie(), - // glusterfs - rbacv1helpers.NewRule("get", "list", "watch").Groups(storageGroup).Resources("storageclasses").RuleOrDie(), - rbacv1helpers.NewRule("get").Groups(legacyGroup).Resources("services", "endpoints").RuleOrDie(), - rbacv1helpers.NewRule("get").Groups(legacyGroup).Resources("secrets").RuleOrDie(), eventsRule(), + + // volume plugin - portworx + rbacv1helpers.NewRule("get").Groups(legacyGroup).Resources("services").RuleOrDie(), }, }) @@ -281,19 +280,15 @@ func buildControllerRoles() ([]rbacv1.ClusterRole, []rbacv1.ClusterRoleBinding) rbacv1helpers.NewRule("get", "list", "watch", "update").Groups(legacyGroup).Resources("persistentvolumeclaims").RuleOrDie(), rbacv1helpers.NewRule("update").Groups(legacyGroup).Resources("persistentvolumeclaims/status").RuleOrDie(), rbacv1helpers.NewRule("list", "watch", "get", "create", "delete").Groups(legacyGroup).Resources("pods").RuleOrDie(), - - // glusterfs rbacv1helpers.NewRule("get", "list", "watch").Groups(storageGroup).Resources("storageclasses").RuleOrDie(), - rbacv1helpers.NewRule("get", "create", "update", "delete").Groups(legacyGroup).Resources("endpoints").RuleOrDie(), - rbacv1helpers.NewRule("get", "create", "delete").Groups(legacyGroup).Resources("services").RuleOrDie(), - rbacv1helpers.NewRule("get").Groups(legacyGroup).Resources("secrets").RuleOrDie(), - // openstack - rbacv1helpers.NewRule("get", "list").Groups(legacyGroup).Resources("nodes").RuleOrDie(), + rbacv1helpers.NewRule("list", "watch").Groups(legacyGroup).Resources("nodes").RuleOrDie(), + eventsRule(), // recyclerClient.WatchPod rbacv1helpers.NewRule("watch").Groups(legacyGroup).Resources("events").RuleOrDie(), - eventsRule(), + // volume plugin - portworx + rbacv1helpers.NewRule("get").Groups(legacyGroup).Resources("services").RuleOrDie(), }, }) addControllerRole(&controllerRoles, &controllerRoleBindings, func() rbacv1.ClusterRole { diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml index 2e71d75f50f..c3c941a0b9b 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml @@ -653,27 +653,6 @@ items: - get - list - watch - - apiGroups: - - storage.k8s.io - resources: - - storageclasses - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - endpoints - - services - verbs: - - get - - apiGroups: - - "" - resources: - - secrets - verbs: - - get - apiGroups: - "" - events.k8s.io @@ -683,6 +662,12 @@ items: - create - patch - update + - apiGroups: + - "" + resources: + - services + verbs: + - get - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -1001,41 +986,12 @@ items: - get - list - watch - - apiGroups: - - "" - resources: - - endpoints - verbs: - - create - - delete - - get - - update - - apiGroups: - - "" - resources: - - services - verbs: - - create - - delete - - get - - apiGroups: - - "" - resources: - - secrets - verbs: - - get - apiGroups: - "" resources: - nodes verbs: - - get - list - - apiGroups: - - "" - resources: - - events - verbs: - watch - apiGroups: - "" @@ -1046,6 +1002,18 @@ items: - create - patch - update + - apiGroups: + - "" + resources: + - events + verbs: + - watch + - apiGroups: + - "" + resources: + - services + verbs: + - get - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: