From 967d4fb5f7d3ed7cd3cc8bf852aeca2472f117f1 Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Mon, 13 Feb 2017 13:14:47 -0500 Subject: [PATCH] give nodes update/delete permissions --- plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go | 1 + .../rbac/bootstrappolicy/testdata/cluster-roles.yaml | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go index e0ee757a044..cdb74d990a0 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go @@ -192,6 +192,7 @@ func ClusterRoles() []rbac.ClusterRole { rbac.NewRule("create", "get", "list", "watch").Groups(legacyGroup).Resources("nodes").RuleOrDie(), // TODO: restrict to the bound node once supported rbac.NewRule("update", "patch").Groups(legacyGroup).Resources("nodes/status").RuleOrDie(), + rbac.NewRule("update", "patch", "delete").Groups(legacyGroup).Resources("nodes").RuleOrDie(), // TODO: restrict to the bound node as creator once supported rbac.NewRule("create", "update", "patch").Groups(legacyGroup).Resources("events").RuleOrDie(), diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml index 99a6d8164de..5680d746559 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml @@ -541,6 +541,14 @@ items: verbs: - patch - update + - apiGroups: + - "" + resources: + - nodes + verbs: + - delete + - patch + - update - apiGroups: - "" resources: