Add new volume-scheduler cluster role to scheduler

2025-11-03 23:40:03 +00:00 · 2018-01-30 16:55:18 -08:00
parent c7884550b2
commit dc1e871828
3 changed files with 59 additions and 11 deletions
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
@@ -29,6 +29,7 @@ import (
 var (
 	ReadWrite  = []string{"get", "list", "watch", "create", "update", "patch", "delete", "deletecollection"}
 	Read       = []string{"get", "list", "watch"}
+	ReadUpdate = []string{"get", "list", "watch", "update", "patch"}

 	Label      = map[string]string{"kubernetes.io/bootstrapping": "rbac-defaults"}
 	Annotation = map[string]string{rbac.AutoUpdateAnnotationKey: "true"}
@@ -483,15 +484,13 @@ func ClusterRoles() []rbac.ClusterRole {
 	}

 	if utilfeature.DefaultFeatureGate.Enabled(features.VolumeScheduling) {
-		// Find the scheduler role
-		for i, role := range roles {
-			if role.Name == "system:kube-scheduler" {
-				pvRule := rbac.NewRule("update").Groups(legacyGroup).Resources("persistentvolumes").RuleOrDie()
-				scRule := rbac.NewRule(Read...).Groups(storageGroup).Resources("storageclasses").RuleOrDie()
-				roles[i].Rules = append(role.Rules, pvRule, scRule)
-				break
-			}
-		}
+		roles = append(roles, rbac.ClusterRole{
+			ObjectMeta: metav1.ObjectMeta{Name: "system:volume-scheduler"},
+			Rules: []rbac.PolicyRule{
+				rbac.NewRule(ReadUpdate...).Groups(legacyGroup).Resources("persistentvolumes").RuleOrDie(),
+				rbac.NewRule(Read...).Groups(storageGroup).Resources("storageclasses").RuleOrDie(),
+			},
+		})
 	}

 	addClusterRoleLabel(roles)
@@ -520,6 +519,10 @@ func ClusterRoleBindings() []rbac.ClusterRoleBinding {
 		},
 	}

+	if utilfeature.DefaultFeatureGate.Enabled(features.VolumeScheduling) {
+		rolebindings = append(rolebindings, rbac.NewClusterBinding("system:volume-scheduler").Users(user.KubeScheduler).BindingOrDie())
+	}
+
 	addClusterRoleBindingLabel(rolebindings)

 	return rolebindings
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml
@@ -156,5 +156,22 @@ items:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: system:kube-proxy
+- apiVersion: rbac.authorization.k8s.io/v1
+  kind: ClusterRoleBinding
+  metadata:
+    annotations:
+      rbac.authorization.kubernetes.io/autoupdate: "true"
+    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
+    name: system:volume-scheduler
+  roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: ClusterRole
+    name: system:volume-scheduler
+  subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: User
+    name: system:kube-scheduler
 kind: List
 metadata: {}
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
@@ -1171,6 +1171,34 @@ items:
    - create
    - patch
    - update
+- apiVersion: rbac.authorization.k8s.io/v1
+  kind: ClusterRole
+  metadata:
+    annotations:
+      rbac.authorization.kubernetes.io/autoupdate: "true"
+    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
+    name: system:volume-scheduler
+  rules:
+  - apiGroups:
+    - ""
+    resources:
+    - persistentvolumes
+    verbs:
+    - get
+    - list
+    - patch
+    - update
+    - watch
+  - apiGroups:
+    - storage.k8s.io
+    resources:
+    - storageclasses
+    verbs:
+    - get
+    - list
+    - watch
 - aggregationRule:
    clusterRoleSelectors:
    - matchLabels: