github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-28 05:57:25 +00:00
Code Issues Projects Releases Wiki Activity

CLE rbac for lease and leasecandidate in kube-system

Browse Source
This commit is contained in:
Jefftree 2024-07-21 20:05:30 +00:00
parent 9b16b0dc97
commit b5a62f14cd
5 changed files with 69 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/namespace_policy.go
View File

@ -19,11 +19,11 @@ package bootstrappolicy
import ( import (
"strings" "strings"
"k8s.io/klog/v2"
rbacv1 "k8s.io/api/rbac/v1" rbacv1 "k8s.io/api/rbac/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authentication/user"
"k8s.io/klog/v2"
rbacv1helpers "k8s.io/kubernetes/pkg/apis/rbac/v1" rbacv1helpers "k8s.io/kubernetes/pkg/apis/rbac/v1"
) )
@ -110,6 +110,8 @@ func init() {
Rules: []rbacv1.PolicyRule{ Rules: []rbacv1.PolicyRule{
rbacv1helpers.NewRule("watch").Groups(legacyGroup).Resources("configmaps").RuleOrDie(), rbacv1helpers.NewRule("watch").Groups(legacyGroup).Resources("configmaps").RuleOrDie(),
rbacv1helpers.NewRule("get", "update").Groups(legacyGroup).Resources("configmaps").Names("kube-controller-manager").RuleOrDie(), rbacv1helpers.NewRule("get", "update").Groups(legacyGroup).Resources("configmaps").Names("kube-controller-manager").RuleOrDie(),
rbacv1helpers.NewRule("get", "watch", "list", "create", "update").Groups("coordination.k8s.io").Resources("leases").RuleOrDie(),
rbacv1helpers.NewRule("get", "watch", "list", "create", "update").Groups("coordination.k8s.io").Resources("leasecandidates").RuleOrDie(),
}, },
}) })
addNamespaceRole(metav1.NamespaceSystem, rbacv1.Role{ addNamespaceRole(metav1.NamespaceSystem, rbacv1.Role{
@ -118,6 +120,8 @@ func init() {
Rules: []rbacv1.PolicyRule{ Rules: []rbacv1.PolicyRule{
rbacv1helpers.NewRule("watch").Groups(legacyGroup).Resources("configmaps").RuleOrDie(), rbacv1helpers.NewRule("watch").Groups(legacyGroup).Resources("configmaps").RuleOrDie(),
rbacv1helpers.NewRule("get", "update").Groups(legacyGroup).Resources("configmaps").Names("kube-scheduler").RuleOrDie(), rbacv1helpers.NewRule("get", "update").Groups(legacyGroup).Resources("configmaps").Names("kube-scheduler").RuleOrDie(),
rbacv1helpers.NewRule("get", "watch", "list", "create", "update").Groups("coordination.k8s.io").Resources("leases").RuleOrDie(),
rbacv1helpers.NewRule("get", "watch", "list", "create", "update").Groups("coordination.k8s.io").Resources("leasecandidates").RuleOrDie(),
}, },
}) })
@ -125,8 +129,9 @@ func init() {
delegatedAuthBinding.Name = "system::extension-apiserver-authentication-reader" delegatedAuthBinding.Name = "system::extension-apiserver-authentication-reader"
addNamespaceRoleBinding(metav1.NamespaceSystem, delegatedAuthBinding) addNamespaceRoleBinding(metav1.NamespaceSystem, delegatedAuthBinding)
// E1201 20:39:34.550004 1182102 controller.go:231] leases.coordination.k8s.io is forbidden: User "system:serviceaccount:kube-system:leader-election-controller" cannot create resource "leases" in API group "coordination.k8s.io" in the namespace "kube-system"
addNamespaceRoleBinding(metav1.NamespaceSystem, addNamespaceRoleBinding(metav1.NamespaceSystem,
rbacv1helpers.NewRoleBinding("system::leader-locking-kube-controller-manager", metav1.NamespaceSystem).Users(user.KubeControllerManager).SAs(metav1.NamespaceSystem, "kube-controller-manager").BindingOrDie()) rbacv1helpers.NewRoleBinding("system::leader-locking-kube-controller-manager", metav1.NamespaceSystem).Users(user.KubeControllerManager).SAs(metav1.NamespaceSystem, "kube-controller-manager", "leader-election-controller").BindingOrDie())
addNamespaceRoleBinding(metav1.NamespaceSystem, addNamespaceRoleBinding(metav1.NamespaceSystem,
rbacv1helpers.NewRoleBinding("system::leader-locking-kube-scheduler", metav1.NamespaceSystem).Users(user.KubeScheduler).SAs(metav1.NamespaceSystem, "kube-scheduler").BindingOrDie()) rbacv1helpers.NewRoleBinding("system::leader-locking-kube-scheduler", metav1.NamespaceSystem).Users(user.KubeScheduler).SAs(metav1.NamespaceSystem, "kube-scheduler").BindingOrDie())
addNamespaceRoleBinding(metav1.NamespaceSystem, addNamespaceRoleBinding(metav1.NamespaceSystem,

4
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
View File

@ -25,6 +25,7 @@ import (
"k8s.io/apiserver/pkg/authentication/serviceaccount" "k8s.io/apiserver/pkg/authentication/serviceaccount"
"k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authentication/user"
utilfeature "k8s.io/apiserver/pkg/util/feature" utilfeature "k8s.io/apiserver/pkg/util/feature"
rbacv1helpers "k8s.io/kubernetes/pkg/apis/rbac/v1" rbacv1helpers "k8s.io/kubernetes/pkg/apis/rbac/v1"
"k8s.io/kubernetes/pkg/features" "k8s.io/kubernetes/pkg/features"
) )
@ -551,7 +552,8 @@ func ClusterRoles() []rbacv1.ClusterRole {
// This is for leaderlease access // This is for leaderlease access
// TODO: scope this to the kube-system namespace // TODO: scope this to the kube-system namespace
rbacv1helpers.NewRule("create").Groups(coordinationGroup).Resources("leases").RuleOrDie(), rbacv1helpers.NewRule("create").Groups(coordinationGroup).Resources("leases").RuleOrDie(),
rbacv1helpers.NewRule("get", "update").Groups(coordinationGroup).Resources("leases").Names("kube-scheduler").RuleOrDie(), rbacv1helpers.NewRule("get", "update", "list", "watch").Groups(coordinationGroup).Resources("leases").Names("kube-scheduler").RuleOrDie(),
rbacv1helpers.NewRule(ReadWrite...).Groups(coordinationGroup).Resources("leasecandidates").RuleOrDie(),
// Fundamental resources // Fundamental resources
rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("nodes").RuleOrDie(), rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("nodes").RuleOrDie(),

15
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml vendored
View File

@ -741,7 +741,22 @@ items:
- leases - leases
verbs: verbs:
- get - get
- list
- update - update
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leasecandidates
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups: - apiGroups:
- "" - ""
resources: resources:

3
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/namespace-role-bindings.yaml vendored
View File

@ -60,6 +60,9 @@ items:
- kind: ServiceAccount - kind: ServiceAccount
name: kube-controller-manager name: kube-controller-manager
namespace: kube-system namespace: kube-system
- kind: ServiceAccount
name: leader-election-controller
namespace: kube-system
- apiVersion: rbac.authorization.k8s.io/v1 - apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:

40
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/namespace-roles.yaml vendored
View File

@ -83,6 +83,26 @@ items:
verbs: verbs:
- get - get
- update - update
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- list
- update
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leasecandidates
verbs:
- create
- get
- list
- update
- watch
- apiVersion: rbac.authorization.k8s.io/v1 - apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
@ -109,6 +129,26 @@ items:
verbs: verbs:
- get - get
- update - update
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- list
- update
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leasecandidates
verbs:
- create
- get
- list
- update
- watch
- apiVersion: rbac.authorization.k8s.io/v1 - apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata: