diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go index cbbb3a33ae4..3f5f54e3b61 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go @@ -27,8 +27,9 @@ import ( ) var ( - ReadWrite = []string{"get", "list", "watch", "create", "update", "patch", "delete", "deletecollection"} - Read = []string{"get", "list", "watch"} + ReadWrite = []string{"get", "list", "watch", "create", "update", "patch", "delete", "deletecollection"} + Read = []string{"get", "list", "watch"} + ReadUpdate = []string{"get", "list", "watch", "update", "patch"} Label = map[string]string{"kubernetes.io/bootstrapping": "rbac-defaults"} Annotation = map[string]string{rbac.AutoUpdateAnnotationKey: "true"} @@ -483,15 +484,13 @@ func ClusterRoles() []rbac.ClusterRole { } if utilfeature.DefaultFeatureGate.Enabled(features.VolumeScheduling) { - // Find the scheduler role - for i, role := range roles { - if role.Name == "system:kube-scheduler" { - pvRule := rbac.NewRule("update").Groups(legacyGroup).Resources("persistentvolumes").RuleOrDie() - scRule := rbac.NewRule(Read...).Groups(storageGroup).Resources("storageclasses").RuleOrDie() - roles[i].Rules = append(role.Rules, pvRule, scRule) - break - } - } + roles = append(roles, rbac.ClusterRole{ + ObjectMeta: metav1.ObjectMeta{Name: "system:volume-scheduler"}, + Rules: []rbac.PolicyRule{ + rbac.NewRule(ReadUpdate...).Groups(legacyGroup).Resources("persistentvolumes").RuleOrDie(), + rbac.NewRule(Read...).Groups(storageGroup).Resources("storageclasses").RuleOrDie(), + }, + }) } addClusterRoleLabel(roles) @@ -520,6 +519,10 @@ func ClusterRoleBindings() []rbac.ClusterRoleBinding { }, } + if utilfeature.DefaultFeatureGate.Enabled(features.VolumeScheduling) { + rolebindings = append(rolebindings, rbac.NewClusterBinding("system:volume-scheduler").Users(user.KubeScheduler).BindingOrDie()) + } + addClusterRoleBindingLabel(rolebindings) return rolebindings diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml index dc25b090ebe..55a88317272 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml @@ -156,5 +156,22 @@ items: - apiGroup: rbac.authorization.k8s.io kind: User name: system:kube-proxy +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:volume-scheduler + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:volume-scheduler + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: User + name: system:kube-scheduler kind: List metadata: {} diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml index f8fcaacb51d..999a01efde8 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml @@ -1171,6 +1171,34 @@ items: - create - patch - update +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:volume-scheduler + rules: + - apiGroups: + - "" + resources: + - persistentvolumes + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch - aggregationRule: clusterRoleSelectors: - matchLabels: