github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-08 03:33:56 +00:00
Code Issues Projects Releases Wiki Activity

Don't create PSP binding when RBAC is not enabled

Browse Source
This commit is contained in:
Mikkel Oscar Lyderik Larsen 2017-12-13 14:24:01 +01:00 committed by Mikkel Oscar Lyderik Larsen
parent 3836857229
commit a37d8ec1f9
No known key found for this signature in database
GPG Key ID: 50AD98B2A0D8D4EF
1 changed files with 29 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
test/e2e/framework/psp_util.go
View File

@ -97,7 +97,7 @@ var (
)
func CreatePrivilegedPSPBinding(f *Framework, namespace string) {
if !IsPodSecurityPolicyEnabled(f) || !IsRBACEnabled(f) {
if !IsPodSecurityPolicyEnabled(f) {
return
}
// Create the privileged PSP & role
@ -114,6 +114,7 @@ func CreatePrivilegedPSPBinding(f *Framework, namespace string) {
psp, err = f.ClientSet.ExtensionsV1beta1().PodSecurityPolicies().Create(psp)
ExpectNoError(err, "Failed to create PSP %s", podSecurityPolicyPrivileged)
if IsRBACEnabled(f) {
// Create the Role to bind it to the namespace.
_, err = f.ClientSet.RbacV1beta1().ClusterRoles().Create(&rbacv1beta1.ClusterRole{
ObjectMeta: metav1.ObjectMeta{Name: podSecurityPolicyPrivileged},
@ -125,8 +126,10 @@ func CreatePrivilegedPSPBinding(f *Framework, namespace string) {
}},
})
ExpectNoError(err, "Failed to create PSP role")
}
})
if IsRBACEnabled(f) {
By(fmt.Sprintf("Binding the %s PodSecurityPolicy to the default service account in %s",
podSecurityPolicyPrivileged, namespace))
BindClusterRoleInNamespace(f.ClientSet.RbacV1beta1(),
@ -140,4 +143,5 @@ func CreatePrivilegedPSPBinding(f *Framework, namespace string) {
ExpectNoError(WaitForNamedAuthorizationUpdate(f.ClientSet.AuthorizationV1beta1(),
serviceaccount.MakeUsername(namespace, "default"), namespace, "use", podSecurityPolicyPrivileged,
schema.GroupResource{Group: "extensions", Resource: "podsecuritypolicies"}, true))
}
}