diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/namespace_policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/namespace_policy.go index 12d06a3aea2..54b87495545 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/namespace_policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/namespace_policy.go @@ -100,6 +100,27 @@ func init() { eventsRule(), }, }) + // TODO: Create util on Role+Binding for leader locking if more cases evolve. + addNamespaceRole(metav1.NamespaceSystem, rbac.Role{ + // role for the leader locking on supplied configmap + ObjectMeta: metav1.ObjectMeta{Name: "system::leader-locking-kube-controller-manager"}, + Rules: []rbac.PolicyRule{ + rbac.NewRule("watch").Groups(legacyGroup).Resources("configmaps").RuleOrDie(), + rbac.NewRule("get", "update").Groups(legacyGroup).Resources("configmaps").Names("kube-controller-manager").RuleOrDie(), + }, + }) + addNamespaceRole(metav1.NamespaceSystem, rbac.Role{ + // role for the leader locking on supplied configmap + ObjectMeta: metav1.ObjectMeta{Name: "system::leader-locking-kube-scheduler"}, + Rules: []rbac.PolicyRule{ + rbac.NewRule("watch").Groups(legacyGroup).Resources("configmaps").RuleOrDie(), + rbac.NewRule("get", "update").Groups(legacyGroup).Resources("configmaps").Names("kube-scheduler").RuleOrDie(), + }, + }) + addNamespaceRoleBinding(metav1.NamespaceSystem, + rbac.NewRoleBinding("system::leader-locking-kube-controller-manager", metav1.NamespaceSystem).SAs(metav1.NamespaceSystem, "kube-controller-manager").BindingOrDie()) + addNamespaceRoleBinding(metav1.NamespaceSystem, + rbac.NewRoleBinding("system::leader-locking-kube-scheduler", metav1.NamespaceSystem).SAs(metav1.NamespaceSystem, "kube-scheduler").BindingOrDie()) addNamespaceRoleBinding(metav1.NamespaceSystem, rbac.NewRoleBinding(saRolePrefix+"bootstrap-signer", metav1.NamespaceSystem).SAs(metav1.NamespaceSystem, "bootstrap-signer").BindingOrDie()) addNamespaceRoleBinding(metav1.NamespaceSystem, diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/namespace-role-bindings.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/namespace-role-bindings.yaml index f85f5236864..ca79803cd98 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/namespace-role-bindings.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/namespace-role-bindings.yaml @@ -18,6 +18,42 @@ items: - kind: ServiceAccount name: bootstrap-signer namespace: kube-system +- apiVersion: rbac.authorization.k8s.io/v1beta1 + kind: RoleBinding + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system::leader-locking-kube-controller-manager + namespace: kube-system + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: system::leader-locking-kube-controller-manager + subjects: + - kind: ServiceAccount + name: kube-controller-manager + namespace: kube-system +- apiVersion: rbac.authorization.k8s.io/v1beta1 + kind: RoleBinding + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system::leader-locking-kube-scheduler + namespace: kube-system + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: system::leader-locking-kube-scheduler + subjects: + - kind: ServiceAccount + name: kube-scheduler + namespace: kube-system - apiVersion: rbac.authorization.k8s.io/v1beta1 kind: RoleBinding metadata: diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/namespace-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/namespace-roles.yaml index a7ebb3ecea2..e8fa714cb0e 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/namespace-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/namespace-roles.yaml @@ -54,6 +54,58 @@ items: - configmaps verbs: - get +- apiVersion: rbac.authorization.k8s.io/v1beta1 + kind: Role + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system::leader-locking-kube-controller-manager + namespace: kube-system + rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - watch + - apiGroups: + - "" + resourceNames: + - kube-controller-manager + resources: + - configmaps + verbs: + - get + - update +- apiVersion: rbac.authorization.k8s.io/v1beta1 + kind: Role + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system::leader-locking-kube-scheduler + namespace: kube-system + rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - watch + - apiGroups: + - "" + resourceNames: + - kube-scheduler + resources: + - configmaps + verbs: + - get + - update - apiVersion: rbac.authorization.k8s.io/v1beta1 kind: Role metadata: