From ec532389013faa4a4752936fcb9cf89a86650201 Mon Sep 17 00:00:00 2001 From: Brendan Burns Date: Mon, 18 Dec 2017 20:31:17 -0800 Subject: [PATCH 1/3] Add '/version/*' to the system:discovery role, since that's what the open api spec says. --- plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go | 2 +- .../authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go index b8e4db11103..243f2109dcf 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go @@ -169,7 +169,7 @@ func ClusterRoles() []rbac.ClusterRole { ObjectMeta: metav1.ObjectMeta{Name: "system:discovery"}, Rules: []rbac.PolicyRule{ rbac.NewRule("get").URLs( - "/healthz", "/version", + "/healthz", "/version", "/version/*", // remove once swagger 1.2 support is removed "/swaggerapi", "/swaggerapi/*", // do not expand this pattern for openapi discovery docs diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml index 908b6ee1b7e..a47756c6c81 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml @@ -640,6 +640,7 @@ items: - /swaggerapi - /swaggerapi/* - /version + - /version/* verbs: - get - apiVersion: rbac.authorization.k8s.io/v1 From 519d0cde7b4f06b527d5636c8fdb550dec96ad59 Mon Sep 17 00:00:00 2001 From: Brendan Burns Date: Wed, 20 Dec 2017 10:44:07 -0800 Subject: [PATCH 2/3] Update policy.go --- plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go index 243f2109dcf..138c4f2a440 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go @@ -169,7 +169,7 @@ func ClusterRoles() []rbac.ClusterRole { ObjectMeta: metav1.ObjectMeta{Name: "system:discovery"}, Rules: []rbac.PolicyRule{ rbac.NewRule("get").URLs( - "/healthz", "/version", "/version/*", + "/healthz", "/version", "/version/", // remove once swagger 1.2 support is removed "/swaggerapi", "/swaggerapi/*", // do not expand this pattern for openapi discovery docs From 20bb9edff45d36df3fe88adea80bc1bf26ea90e9 Mon Sep 17 00:00:00 2001 From: Brendan Burns Date: Wed, 20 Dec 2017 10:44:55 -0800 Subject: [PATCH 3/3] Update cluster-roles.yaml --- .../authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml index a47756c6c81..477a6e903ba 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml @@ -640,7 +640,7 @@ items: - /swaggerapi - /swaggerapi/* - /version - - /version/* + - /version/ verbs: - get - apiVersion: rbac.authorization.k8s.io/v1