github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-08 11:38:15 +00:00
Code Issues Projects Releases Wiki Activity

Don't create PSP binding when RBAC is not enabled

Browse Source
This commit is contained in:
Mikkel Oscar Lyderik Larsen 2017-12-13 14:24:01 +01:00 committed by Mikkel Oscar Lyderik Larsen
parent 3836857229
commit a37d8ec1f9
No known key found for this signature in database
GPG Key ID: 50AD98B2A0D8D4EF
1 changed files with 29 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
test/e2e/framework/psp_util.go
View File

@ -97,7 +97,7 @@ var (
) )
func CreatePrivilegedPSPBinding(f *Framework, namespace string) { func CreatePrivilegedPSPBinding(f *Framework, namespace string) {
if !IsPodSecurityPolicyEnabled(f) || !IsRBACEnabled(f) { if !IsPodSecurityPolicyEnabled(f) {
return return
} }
// Create the privileged PSP & role // Create the privileged PSP & role
@ -114,30 +114,34 @@ func CreatePrivilegedPSPBinding(f *Framework, namespace string) {
psp, err = f.ClientSet.ExtensionsV1beta1().PodSecurityPolicies().Create(psp) psp, err = f.ClientSet.ExtensionsV1beta1().PodSecurityPolicies().Create(psp)
ExpectNoError(err, "Failed to create PSP %s", podSecurityPolicyPrivileged) ExpectNoError(err, "Failed to create PSP %s", podSecurityPolicyPrivileged)
// Create the Role to bind it to the namespace. if IsRBACEnabled(f) {
_, err = f.ClientSet.RbacV1beta1().ClusterRoles().Create(&rbacv1beta1.ClusterRole{ // Create the Role to bind it to the namespace.
ObjectMeta: metav1.ObjectMeta{Name: podSecurityPolicyPrivileged}, _, err = f.ClientSet.RbacV1beta1().ClusterRoles().Create(&rbacv1beta1.ClusterRole{
Rules: []rbacv1beta1.PolicyRule{{ ObjectMeta: metav1.ObjectMeta{Name: podSecurityPolicyPrivileged},
APIGroups: []string{"extensions"}, Rules: []rbacv1beta1.PolicyRule{{
Resources: []string{"podsecuritypolicies"}, APIGroups: []string{"extensions"},
ResourceNames: []string{podSecurityPolicyPrivileged}, Resources: []string{"podsecuritypolicies"},
Verbs: []string{"use"}, ResourceNames: []string{podSecurityPolicyPrivileged},
}}, Verbs: []string{"use"},
}) }},
ExpectNoError(err, "Failed to create PSP role") })
ExpectNoError(err, "Failed to create PSP role")
}
}) })
By(fmt.Sprintf("Binding the %s PodSecurityPolicy to the default service account in %s", if IsRBACEnabled(f) {
podSecurityPolicyPrivileged, namespace)) By(fmt.Sprintf("Binding the %s PodSecurityPolicy to the default service account in %s",
BindClusterRoleInNamespace(f.ClientSet.RbacV1beta1(), podSecurityPolicyPrivileged, namespace))
podSecurityPolicyPrivileged, BindClusterRoleInNamespace(f.ClientSet.RbacV1beta1(),
namespace, podSecurityPolicyPrivileged,
rbacv1beta1.Subject{ namespace,
Kind: rbacv1beta1.ServiceAccountKind, rbacv1beta1.Subject{
Namespace: namespace, Kind: rbacv1beta1.ServiceAccountKind,
Name: "default", Namespace: namespace,
}) Name: "default",
ExpectNoError(WaitForNamedAuthorizationUpdate(f.ClientSet.AuthorizationV1beta1(), })
serviceaccount.MakeUsername(namespace, "default"), namespace, "use", podSecurityPolicyPrivileged, ExpectNoError(WaitForNamedAuthorizationUpdate(f.ClientSet.AuthorizationV1beta1(),
schema.GroupResource{Group: "extensions", Resource: "podsecuritypolicies"}, true)) serviceaccount.MakeUsername(namespace, "default"), namespace, "use", podSecurityPolicyPrivileged,
schema.GroupResource{Group: "extensions", Resource: "podsecuritypolicies"}, true))
}
} }