From 9947216abd80df0ccb9df83b630b893b07918e4e Mon Sep 17 00:00:00 2001 From: Andy Goldstein Date: Mon, 13 Feb 2017 11:49:09 -0500 Subject: [PATCH] Allow controller manager to list/watch CSRs --- .../auth/authorizer/rbac/bootstrappolicy/policy.go | 14 ++++++++++++-- .../bootstrappolicy/testdata/cluster-roles.yaml | 9 ++++++++- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go index e0ee757a044..6d52ef962ce 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go @@ -279,13 +279,23 @@ func ClusterRoles() []rbac.ClusterRole { rbac.NewRule("get").Groups(legacyGroup).Resources("endpoints", "namespaces", "serviceaccounts").RuleOrDie(), rbac.NewRule("update").Groups(legacyGroup).Resources("endpoints", "serviceaccounts").RuleOrDie(), - rbac.NewRule("list", "watch").Groups("*").Resources("namespaces", "nodes", "persistentvolumeclaims", - "persistentvolumes", "pods", "secrets", "services", "serviceaccounts", "replicationcontrollers").RuleOrDie(), + rbac.NewRule("list", "watch").Groups(legacyGroup).Resources( + "namespaces", + "nodes", + "persistentvolumeclaims", + "persistentvolumes", + "pods", + "secrets", + "services", + "serviceaccounts", + "replicationcontrollers", + ).RuleOrDie(), rbac.NewRule("list", "watch").Groups(extensionsGroup).Resources("daemonsets", "deployments", "replicasets").RuleOrDie(), rbac.NewRule("list", "watch").Groups(batchGroup).Resources("jobs", "cronjobs").RuleOrDie(), rbac.NewRule("list", "watch").Groups(appsGroup).Resources("statefulsets").RuleOrDie(), rbac.NewRule("list", "watch").Groups(policyGroup).Resources("poddisruptionbudgets").RuleOrDie(), rbac.NewRule("list", "watch").Groups(autoscalingGroup).Resources("horizontalpodautoscalers").RuleOrDie(), + rbac.NewRule("list", "watch").Groups(certificatesGroup).Resources("certificatesigningrequests").RuleOrDie(), }, }, { diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml index 99a6d8164de..cf430ab5ebd 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml @@ -444,7 +444,7 @@ items: verbs: - update - apiGroups: - - '*' + - "" resources: - namespaces - nodes @@ -496,6 +496,13 @@ items: verbs: - list - watch + - apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + verbs: + - list + - watch - apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: