Fix bootstrap roles to allow list/watch secrets/configmaps from nodes

This commit is contained in:
wojtekt 2018-05-10 15:52:25 +02:00
parent f344c5c062
commit b2500d41e9
2 changed files with 3 additions and 1 deletions

View File

@ -126,7 +126,7 @@ func NodeRules() []rbac.PolicyRule {
// Needed for imagepullsecrets, rbd/ceph and secret volumes, and secrets in envs
// Needed for configmap volume and envs
// Use the Node authorization mode to limit a node to get secrets/configmaps referenced by pods bound to itself.
rbac.NewRule("get").Groups(legacyGroup).Resources("secrets", "configmaps").RuleOrDie(),
rbac.NewRule("get", "list", "watch").Groups(legacyGroup).Resources("secrets", "configmaps").RuleOrDie(),
// Needed for persistent volumes
// Use the Node authorization mode to limit a node to get pv/pvc objects referenced by pods bound to itself.
rbac.NewRule("get").Groups(legacyGroup).Resources("persistentvolumeclaims", "persistentvolumes").RuleOrDie(),

View File

@ -1112,6 +1112,8 @@ items:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources: