From bc4a13bd7459b80a900b75486e8ff0341c3261ed Mon Sep 17 00:00:00 2001 From: SataQiu Date: Wed, 4 Jan 2023 16:28:11 +0800 Subject: [PATCH] remove heapster rule from system:controller:horizontal-pod-autoscaler clusterrole --- .../authorizer/rbac/bootstrappolicy/controller_policy.go | 2 -- .../rbac/bootstrappolicy/testdata/controller-roles.yaml | 9 --------- 2 files changed, 11 deletions(-) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go index 1ad9ac11e5a..8f9d5016294 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go @@ -233,8 +233,6 @@ func buildControllerRoles() ([]rbacv1.ClusterRole, []rbacv1.ClusterRoleBinding) rbacv1helpers.NewRule("update").Groups(autoscalingGroup).Resources("horizontalpodautoscalers/status").RuleOrDie(), rbacv1helpers.NewRule("get", "update").Groups("*").Resources("*/scale").RuleOrDie(), rbacv1helpers.NewRule("list").Groups(legacyGroup).Resources("pods").RuleOrDie(), - // TODO: restrict this to the appropriate namespace - rbacv1helpers.NewRule("get").Groups(legacyGroup).Resources("services/proxy").Names("https:heapster:", "http:heapster:").RuleOrDie(), // allow listing resource, custom, and external metrics rbacv1helpers.NewRule("list").Groups(resMetricsGroup).Resources("pods").RuleOrDie(), rbacv1helpers.NewRule("get", "list").Groups(customMetricsGroup).Resources("*").RuleOrDie(), diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml index e9cd9730cc1..9a476e9edd8 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml @@ -749,15 +749,6 @@ items: - pods verbs: - list - - apiGroups: - - "" - resourceNames: - - 'http:heapster:' - - 'https:heapster:' - resources: - - services/proxy - verbs: - - get - apiGroups: - metrics.k8s.io resources: