From a5d3e6cd83f2b37e16996983ea74f6afcd1de8fe Mon Sep 17 00:00:00 2001 From: David Eads Date: Wed, 16 Mar 2022 11:52:56 -0400 Subject: [PATCH] allow namespace editors to evict pods --- plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go | 1 + .../rbac/bootstrappolicy/testdata/cluster-roles.yaml | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go index 40e8a2535c9..25ab884f256 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go @@ -285,6 +285,7 @@ func ClusterRoles() []rbacv1.ClusterRole { rbacv1helpers.NewRule("impersonate").Groups(legacyGroup).Resources("serviceaccounts").RuleOrDie(), rbacv1helpers.NewRule(Write...).Groups(legacyGroup).Resources("pods", "pods/attach", "pods/proxy", "pods/exec", "pods/portforward").RuleOrDie(), + rbacv1helpers.NewRule("create").Groups(legacyGroup).Resources("pods/eviction").RuleOrDie(), rbacv1helpers.NewRule(Write...).Groups(legacyGroup).Resources("replicationcontrollers", "replicationcontrollers/scale", "serviceaccounts", "services", "services/proxy", "persistentvolumeclaims", "configmaps", "secrets", "events").RuleOrDie(), rbacv1helpers.NewRule("create").Groups(legacyGroup).Resources("serviceaccounts/token").RuleOrDie(), diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml index dad0b7f92cd..4eefe6c4e7c 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml @@ -124,6 +124,12 @@ items: - deletecollection - patch - update + - apiGroups: + - "" + resources: + - pods/eviction + verbs: + - create - apiGroups: - "" resources: