github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-28 22:17:14 +00:00
Code Issues Projects Releases Wiki Activity

Add rbac policies for NetworkPolicy

Browse Source
This commit is contained in:
Dan Winship 2017-11-30 17:09:52 -05:00
parent 3904cc7803
commit ac336a6eb2
2 changed files with 50 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
View File

@ -48,6 +48,7 @@ const (
storageGroup = "storage.k8s.io" storageGroup = "storage.k8s.io"
resMetricsGroup = "metrics.k8s.io" resMetricsGroup = "metrics.k8s.io"
customMetricsGroup = "custom.metrics.k8s.io" customMetricsGroup = "custom.metrics.k8s.io"
networkingGroup = "networking.k8s.io"
) )
func addDefaultMetadata(obj runtime.Object) { func addDefaultMetadata(obj runtime.Object) {
@ -231,10 +232,13 @@ func ClusterRoles() []rbac.ClusterRole {
rbac.NewRule(ReadWrite...).Groups(extensionsGroup).Resources("daemonsets", rbac.NewRule(ReadWrite...).Groups(extensionsGroup).Resources("daemonsets",
"deployments", "deployments/scale", "deployments/rollback", "ingresses", "deployments", "deployments/scale", "deployments/rollback", "ingresses",
"replicasets", "replicasets/scale", "replicationcontrollers/scale").RuleOrDie(), "replicasets", "replicasets/scale", "replicationcontrollers/scale",
"networkpolicies").RuleOrDie(),
rbac.NewRule(ReadWrite...).Groups(policyGroup).Resources("poddisruptionbudgets").RuleOrDie(), rbac.NewRule(ReadWrite...).Groups(policyGroup).Resources("poddisruptionbudgets").RuleOrDie(),
rbac.NewRule(ReadWrite...).Groups(networkingGroup).Resources("networkpolicies").RuleOrDie(),
// additional admin powers // additional admin powers
rbac.NewRule("create").Groups(authorizationGroup).Resources("localsubjectaccessreviews").RuleOrDie(), rbac.NewRule("create").Groups(authorizationGroup).Resources("localsubjectaccessreviews").RuleOrDie(),
rbac.NewRule(ReadWrite...).Groups(rbacGroup).Resources("roles", "rolebindings").RuleOrDie(), rbac.NewRule(ReadWrite...).Groups(rbacGroup).Resources("roles", "rolebindings").RuleOrDie(),
@ -267,9 +271,12 @@ func ClusterRoles() []rbac.ClusterRole {
rbac.NewRule(ReadWrite...).Groups(extensionsGroup).Resources("daemonsets", rbac.NewRule(ReadWrite...).Groups(extensionsGroup).Resources("daemonsets",
"deployments", "deployments/scale", "deployments/rollback", "ingresses", "deployments", "deployments/scale", "deployments/rollback", "ingresses",
"replicasets", "replicasets/scale", "replicationcontrollers/scale").RuleOrDie(), "replicasets", "replicasets/scale", "replicationcontrollers/scale",
"networkpolicies").RuleOrDie(),
rbac.NewRule(ReadWrite...).Groups(policyGroup).Resources("poddisruptionbudgets").RuleOrDie(), rbac.NewRule(ReadWrite...).Groups(policyGroup).Resources("poddisruptionbudgets").RuleOrDie(),
rbac.NewRule(ReadWrite...).Groups(networkingGroup).Resources("networkpolicies").RuleOrDie(),
}, },
}, },
{ {
@ -295,9 +302,12 @@ func ClusterRoles() []rbac.ClusterRole {
rbac.NewRule(Read...).Groups(batchGroup).Resources("jobs", "cronjobs").RuleOrDie(), rbac.NewRule(Read...).Groups(batchGroup).Resources("jobs", "cronjobs").RuleOrDie(),
rbac.NewRule(Read...).Groups(extensionsGroup).Resources("daemonsets", "deployments", "deployments/scale", rbac.NewRule(Read...).Groups(extensionsGroup).Resources("daemonsets", "deployments", "deployments/scale",
"ingresses", "replicasets", "replicasets/scale", "replicationcontrollers/scale").RuleOrDie(), "ingresses", "replicasets", "replicasets/scale", "replicationcontrollers/scale",
"networkpolicies").RuleOrDie(),
rbac.NewRule(Read...).Groups(policyGroup).Resources("poddisruptionbudgets").RuleOrDie(), rbac.NewRule(Read...).Groups(policyGroup).Resources("poddisruptionbudgets").RuleOrDie(),
rbac.NewRule(Read...).Groups(networkingGroup).Resources("networkpolicies").RuleOrDie(),
}, },
}, },
{ {

37
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml vendored
View File

@ -181,6 +181,7 @@ items:
- deployments/rollback - deployments/rollback
- deployments/scale - deployments/scale
- ingresses - ingresses
- networkpolicies
- replicasets - replicasets
- replicasets/scale - replicasets/scale
- replicationcontrollers/scale - replicationcontrollers/scale
@ -206,6 +207,19 @@ items:
- patch - patch
- update - update
- watch - watch
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups: - apiGroups:
- authorization.k8s.io - authorization.k8s.io
resources: resources:
@ -359,6 +373,7 @@ items:
- deployments/rollback - deployments/rollback
- deployments/scale - deployments/scale
- ingresses - ingresses
- networkpolicies
- replicasets - replicasets
- replicasets/scale - replicasets/scale
- replicationcontrollers/scale - replicationcontrollers/scale
@ -384,6 +399,19 @@ items:
- patch - patch
- update - update
- watch - watch
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiVersion: rbac.authorization.k8s.io/v1 - apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
metadata: metadata:
@ -471,6 +499,7 @@ items:
- deployments - deployments
- deployments/scale - deployments/scale
- ingresses - ingresses
- networkpolicies
- replicasets - replicasets
- replicasets/scale - replicasets/scale
- replicationcontrollers/scale - replicationcontrollers/scale
@ -486,6 +515,14 @@ items:
- get - get
- list - list
- watch - watch
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- get
- list
- watch
- apiVersion: rbac.authorization.k8s.io/v1 - apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
metadata: metadata: