From d278a80a670a7e1a86ff1729fa67c89f6cc5bf81 Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Fri, 5 May 2017 02:14:02 -0400 Subject: [PATCH] Separate system:node rules --- .../authorizer/rbac/bootstrappolicy/policy.go | 86 ++++++++++--------- 1 file changed, 45 insertions(+), 41 deletions(-) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go index caefaf38589..4e4e3a8e09c 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go @@ -86,6 +86,50 @@ func addClusterRoleBindingLabel(rolebindings []rbac.ClusterRoleBinding) { return } +func NodeRules() []rbac.PolicyRule { + return []rbac.PolicyRule{ + // Needed to check API access. These creates are non-mutating + rbac.NewRule("create").Groups(authenticationGroup).Resources("tokenreviews").RuleOrDie(), + rbac.NewRule("create").Groups(authorizationGroup).Resources("subjectaccessreviews", "localsubjectaccessreviews").RuleOrDie(), + // Needed to build serviceLister, to populate env vars for services + rbac.NewRule(Read...).Groups(legacyGroup).Resources("services").RuleOrDie(), + // Nodes can register themselves + // TODO: restrict to creating a node with the same name they announce + rbac.NewRule("create", "get", "list", "watch").Groups(legacyGroup).Resources("nodes").RuleOrDie(), + // TODO: restrict to the bound node once supported + rbac.NewRule("update", "patch").Groups(legacyGroup).Resources("nodes/status").RuleOrDie(), + rbac.NewRule("update", "patch", "delete").Groups(legacyGroup).Resources("nodes").RuleOrDie(), + + // TODO: restrict to the bound node as creator once supported + rbac.NewRule("create", "update", "patch").Groups(legacyGroup).Resources("events").RuleOrDie(), + + // TODO: restrict to pods scheduled on the bound node once supported + rbac.NewRule(Read...).Groups(legacyGroup).Resources("pods").RuleOrDie(), + + // TODO: remove once mirror pods are removed + // TODO: restrict deletion to mirror pods created by the bound node once supported + // Needed for the node to create/delete mirror pods + rbac.NewRule("create", "delete").Groups(legacyGroup).Resources("pods").RuleOrDie(), + // TODO: restrict to pods scheduled on the bound node once supported + rbac.NewRule("update").Groups(legacyGroup).Resources("pods/status").RuleOrDie(), + + // TODO: restrict to secrets and configmaps used by pods scheduled on bound node once supported + // Needed for imagepullsecrets, rbd/ceph and secret volumes, and secrets in envs + // Needed for configmap volume and envs + rbac.NewRule("get").Groups(legacyGroup).Resources("secrets", "configmaps").RuleOrDie(), + // TODO: restrict to claims/volumes used by pods scheduled on bound node once supported + // Needed for persistent volumes + rbac.NewRule("get").Groups(legacyGroup).Resources("persistentvolumeclaims", "persistentvolumes").RuleOrDie(), + // TODO: restrict to namespaces of pods scheduled on bound node once supported + // TODO: change glusterfs to use DNS lookup so this isn't needed? + // Needed for glusterfs volumes + rbac.NewRule("get").Groups(legacyGroup).Resources("endpoints").RuleOrDie(), + // Used to create a certificatesigningrequest for a node-specific client certificate, and watch + // for it to be signed. This allows the kubelet to rotate it's own certificate. + rbac.NewRule("create", "get", "list", "watch").Groups(certificatesGroup).Resources("certificatesigningrequests").RuleOrDie(), + } +} + // ClusterRoles returns the cluster roles to bootstrap an API server with func ClusterRoles() []rbac.ClusterRole { roles := []rbac.ClusterRole{ @@ -204,47 +248,7 @@ func ClusterRoles() []rbac.ClusterRole { { // a role for nodes to use to have the access they need for running pods ObjectMeta: metav1.ObjectMeta{Name: "system:node"}, - Rules: []rbac.PolicyRule{ - // Needed to check API access. These creates are non-mutating - rbac.NewRule("create").Groups(authenticationGroup).Resources("tokenreviews").RuleOrDie(), - rbac.NewRule("create").Groups(authorizationGroup).Resources("subjectaccessreviews", "localsubjectaccessreviews").RuleOrDie(), - // Needed to build serviceLister, to populate env vars for services - rbac.NewRule(Read...).Groups(legacyGroup).Resources("services").RuleOrDie(), - // Nodes can register themselves - // TODO: restrict to creating a node with the same name they announce - rbac.NewRule("create", "get", "list", "watch").Groups(legacyGroup).Resources("nodes").RuleOrDie(), - // TODO: restrict to the bound node once supported - rbac.NewRule("update", "patch").Groups(legacyGroup).Resources("nodes/status").RuleOrDie(), - rbac.NewRule("update", "patch", "delete").Groups(legacyGroup).Resources("nodes").RuleOrDie(), - - // TODO: restrict to the bound node as creator once supported - rbac.NewRule("create", "update", "patch").Groups(legacyGroup).Resources("events").RuleOrDie(), - - // TODO: restrict to pods scheduled on the bound node once supported - rbac.NewRule(Read...).Groups(legacyGroup).Resources("pods").RuleOrDie(), - - // TODO: remove once mirror pods are removed - // TODO: restrict deletion to mirror pods created by the bound node once supported - // Needed for the node to create/delete mirror pods - rbac.NewRule("create", "delete").Groups(legacyGroup).Resources("pods").RuleOrDie(), - // TODO: restrict to pods scheduled on the bound node once supported - rbac.NewRule("update").Groups(legacyGroup).Resources("pods/status").RuleOrDie(), - - // TODO: restrict to secrets and configmaps used by pods scheduled on bound node once supported - // Needed for imagepullsecrets, rbd/ceph and secret volumes, and secrets in envs - // Needed for configmap volume and envs - rbac.NewRule("get").Groups(legacyGroup).Resources("secrets", "configmaps").RuleOrDie(), - // TODO: restrict to claims/volumes used by pods scheduled on bound node once supported - // Needed for persistent volumes - rbac.NewRule("get").Groups(legacyGroup).Resources("persistentvolumeclaims", "persistentvolumes").RuleOrDie(), - // TODO: restrict to namespaces of pods scheduled on bound node once supported - // TODO: change glusterfs to use DNS lookup so this isn't needed? - // Needed for glusterfs volumes - rbac.NewRule("get").Groups(legacyGroup).Resources("endpoints").RuleOrDie(), - // Used to create a certificatesigningrequest for a node-specific client certificate, and watch - // for it to be signed. This allows the kubelet to rotate it's own certificate. - rbac.NewRule("create", "get", "list", "watch").Groups(certificatesGroup).Resources("certificatesigningrequests").RuleOrDie(), - }, + Rules: NodeRules(), }, { // a role to use for node-problem-detector access. It does not get bound to default location since