github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-10-31 05:40:42 +00:00
Code Issues Projects Releases Wiki Activity

Add bootstrap cluster role for external pv provisioners

Browse Source
This commit is contained in:
Matthew Wong
2017-01-23 11:27:53 -05:00
parent 68f123dfa0
commit caefe1a9ed
2 changed files with 64 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
View File

@@ -284,6 +284,21 @@ func ClusterRoles() []rbac.ClusterRole {
rbac.NewRule("list", "watch").Groups(batchGroup).Resources("jobs", "cronjobs").RuleOrDie(), rbac.NewRule("list", "watch").Groups(batchGroup).Resources("jobs", "cronjobs").RuleOrDie(),
}, },
}, },
{
// a role for an external/out-of-tree persistent volume provisioner
ObjectMeta: metav1.ObjectMeta{Name: "system:persistent-volume-provisioner"},
Rules: []rbac.PolicyRule{
rbac.NewRule("get", "list", "watch", "create", "delete").Groups(legacyGroup).Resources("persistentvolumes").RuleOrDie(),
// update is needed in addition to read access for setting lock annotations on PVCs
rbac.NewRule("get", "list", "watch", "update").Groups(legacyGroup).Resources("persistentvolumeclaims").RuleOrDie(),
rbac.NewRule(Read...).Groups(storageGroup).Resources("storageclasses").RuleOrDie(),
// Needed for watching provisioning success and failure events
rbac.NewRule("watch").Groups(legacyGroup).Resources("events").RuleOrDie(),
eventsRule(),
},
},
} }
addClusterRoleLabel(roles) addClusterRoleLabel(roles)
return roles return roles

49
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml vendored
View File

@@ -653,6 +653,55 @@ items:
- patch - patch
- update - update
- apiVersion: rbac.authorization.k8s.io/v1alpha1 - apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRole
metadata:
creationTimestamp: null
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:persistent-volume-provisioner
rules:
- apiGroups:
- ""
resources:
- persistentvolumes
verbs:
- create
- delete
- get
- list
- watch
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- get
- list
- update
- watch
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- update
- apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole kind: ClusterRole
metadata: metadata:
creationTimestamp: null creationTimestamp: null