From e6e026f1ad76c2a674886f5545b8a53bfe9aa6ef Mon Sep 17 00:00:00 2001
From: Jacek Kaniuk <jkaniuk@google.com>
Date: Wed, 23 Oct 2019 16:54:38 +0200
Subject: [PATCH] Allow pod-garbage-collector to get nodes

---
 .../auth/authorizer/rbac/bootstrappolicy/controller_policy.go   | 2 +-
 .../rbac/bootstrappolicy/testdata/controller-roles.yaml         | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
index 08d57be51a1..8ae39744b6e 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
@@ -255,7 +255,7 @@ func buildControllerRoles() ([]rbacv1.ClusterRole, []rbacv1.ClusterRoleBinding)
 		ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "pod-garbage-collector"},
 		Rules: []rbacv1.PolicyRule{
 			rbacv1helpers.NewRule("list", "watch", "delete").Groups(legacyGroup).Resources("pods").RuleOrDie(),
-			rbacv1helpers.NewRule("list").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
+			rbacv1helpers.NewRule("get", "list").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
 		},
 	})
 	addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml
index 7a76381fc61..969d81fe10b 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml
@@ -872,6 +872,7 @@ items:
     resources:
     - nodes
     verbs:
+    - get
     - list
 - apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRole