Separate system:node rules

2025-07-24 04:06:03 +00:00 · 2017-05-05 02:14:02 -04:00 · 2017-05-05 02:14:02 -04:00 · d278a80a67
commit d278a80a67
parent 48a9357926
1 changed files with 45 additions and 41 deletions
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
@ -86,6 +86,50 @@ func addClusterRoleBindingLabel(rolebindings []rbac.ClusterRoleBinding) {
 	return
 }

+func NodeRules() []rbac.PolicyRule {
+	return []rbac.PolicyRule{
+		// Needed to check API access.  These creates are non-mutating
+		rbac.NewRule("create").Groups(authenticationGroup).Resources("tokenreviews").RuleOrDie(),
+		rbac.NewRule("create").Groups(authorizationGroup).Resources("subjectaccessreviews", "localsubjectaccessreviews").RuleOrDie(),
+		// Needed to build serviceLister, to populate env vars for services
+		rbac.NewRule(Read...).Groups(legacyGroup).Resources("services").RuleOrDie(),
+		// Nodes can register themselves
+		// TODO: restrict to creating a node with the same name they announce
+		rbac.NewRule("create", "get", "list", "watch").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
+		// TODO: restrict to the bound node once supported
+		rbac.NewRule("update", "patch").Groups(legacyGroup).Resources("nodes/status").RuleOrDie(),
+		rbac.NewRule("update", "patch", "delete").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
+
+		// TODO: restrict to the bound node as creator once supported
+		rbac.NewRule("create", "update", "patch").Groups(legacyGroup).Resources("events").RuleOrDie(),
+
+		// TODO: restrict to pods scheduled on the bound node once supported
+		rbac.NewRule(Read...).Groups(legacyGroup).Resources("pods").RuleOrDie(),
+
+		// TODO: remove once mirror pods are removed
+		// TODO: restrict deletion to mirror pods created by the bound node once supported
+		// Needed for the node to create/delete mirror pods
+		rbac.NewRule("create", "delete").Groups(legacyGroup).Resources("pods").RuleOrDie(),
+		// TODO: restrict to pods scheduled on the bound node once supported
+		rbac.NewRule("update").Groups(legacyGroup).Resources("pods/status").RuleOrDie(),
+
+		// TODO: restrict to secrets and configmaps used by pods scheduled on bound node once supported
+		// Needed for imagepullsecrets, rbd/ceph and secret volumes, and secrets in envs
+		// Needed for configmap volume and envs
+		rbac.NewRule("get").Groups(legacyGroup).Resources("secrets", "configmaps").RuleOrDie(),
+		// TODO: restrict to claims/volumes used by pods scheduled on bound node once supported
+		// Needed for persistent volumes
+		rbac.NewRule("get").Groups(legacyGroup).Resources("persistentvolumeclaims", "persistentvolumes").RuleOrDie(),
+		// TODO: restrict to namespaces of pods scheduled on bound node once supported
+		// TODO: change glusterfs to use DNS lookup so this isn't needed?
+		// Needed for glusterfs volumes
+		rbac.NewRule("get").Groups(legacyGroup).Resources("endpoints").RuleOrDie(),
+		// Used to create a certificatesigningrequest for a node-specific client certificate, and watch
+		// for it to be signed. This allows the kubelet to rotate it's own certificate.
+		rbac.NewRule("create", "get", "list", "watch").Groups(certificatesGroup).Resources("certificatesigningrequests").RuleOrDie(),
+	}
+}
+
 // ClusterRoles returns the cluster roles to bootstrap an API server with
 func ClusterRoles() []rbac.ClusterRole {
 	roles := []rbac.ClusterRole{
@ -204,47 +248,7 @@ func ClusterRoles() []rbac.ClusterRole {
 		{
 			// a role for nodes to use to have the access they need for running pods
 			ObjectMeta: metav1.ObjectMeta{Name: "system:node"},
-			Rules: []rbac.PolicyRule{
-				// Needed to check API access.  These creates are non-mutating
-				rbac.NewRule("create").Groups(authenticationGroup).Resources("tokenreviews").RuleOrDie(),
-				rbac.NewRule("create").Groups(authorizationGroup).Resources("subjectaccessreviews", "localsubjectaccessreviews").RuleOrDie(),
-				// Needed to build serviceLister, to populate env vars for services
-				rbac.NewRule(Read...).Groups(legacyGroup).Resources("services").RuleOrDie(),
-				// Nodes can register themselves
-				// TODO: restrict to creating a node with the same name they announce
-				rbac.NewRule("create", "get", "list", "watch").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
-				// TODO: restrict to the bound node once supported
-				rbac.NewRule("update", "patch").Groups(legacyGroup).Resources("nodes/status").RuleOrDie(),
-				rbac.NewRule("update", "patch", "delete").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
-
-				// TODO: restrict to the bound node as creator once supported
-				rbac.NewRule("create", "update", "patch").Groups(legacyGroup).Resources("events").RuleOrDie(),
-
-				// TODO: restrict to pods scheduled on the bound node once supported
-				rbac.NewRule(Read...).Groups(legacyGroup).Resources("pods").RuleOrDie(),
-
-				// TODO: remove once mirror pods are removed
-				// TODO: restrict deletion to mirror pods created by the bound node once supported
-				// Needed for the node to create/delete mirror pods
-				rbac.NewRule("create", "delete").Groups(legacyGroup).Resources("pods").RuleOrDie(),
-				// TODO: restrict to pods scheduled on the bound node once supported
-				rbac.NewRule("update").Groups(legacyGroup).Resources("pods/status").RuleOrDie(),
-
-				// TODO: restrict to secrets and configmaps used by pods scheduled on bound node once supported
-				// Needed for imagepullsecrets, rbd/ceph and secret volumes, and secrets in envs
-				// Needed for configmap volume and envs
-				rbac.NewRule("get").Groups(legacyGroup).Resources("secrets", "configmaps").RuleOrDie(),
-				// TODO: restrict to claims/volumes used by pods scheduled on bound node once supported
-				// Needed for persistent volumes
-				rbac.NewRule("get").Groups(legacyGroup).Resources("persistentvolumeclaims", "persistentvolumes").RuleOrDie(),
-				// TODO: restrict to namespaces of pods scheduled on bound node once supported
-				// TODO: change glusterfs to use DNS lookup so this isn't needed?
-				// Needed for glusterfs volumes
-				rbac.NewRule("get").Groups(legacyGroup).Resources("endpoints").RuleOrDie(),
-				// Used to create a certificatesigningrequest for a node-specific client certificate, and watch
-				// for it to be signed. This allows the kubelet to rotate it's own certificate.
-				rbac.NewRule("create", "get", "list", "watch").Groups(certificatesGroup).Resources("certificatesigningrequests").RuleOrDie(),
-			},
+			Rules:      NodeRules(),
 		},
 		{
 			// a role to use for node-problem-detector access.  It does not get bound to default location since