From ef7cee89bf26add3ee1feb5f1c5732d9bfa6c3ec Mon Sep 17 00:00:00 2001 From: Paco Xu Date: Thu, 28 Aug 2025 12:51:33 +0800 Subject: [PATCH] add events.events.k8s.io to clusterrole view/edit/node default --- .../authorizer/rbac/bootstrappolicy/policy.go | 10 +++++--- .../testdata/cluster-roles-featuregates.yaml | 23 +++++++++++++++++-- .../testdata/cluster-roles.yaml | 23 +++++++++++++++++-- 3 files changed, 49 insertions(+), 7 deletions(-) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go index 447b0bc2e99..3b68d182601 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go @@ -112,12 +112,14 @@ func viewRules() []rbacv1.PolicyRule { rules := []rbacv1.PolicyRule{ rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("pods", "replicationcontrollers", "replicationcontrollers/scale", "serviceaccounts", "services", "services/status", "endpoints", "persistentvolumeclaims", "persistentvolumeclaims/status", "configmaps").RuleOrDie(), - rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("limitranges", "resourcequotas", "bindings", "events", + rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("limitranges", "resourcequotas", "bindings", "pods/status", "resourcequotas/status", "namespaces/status", "replicationcontrollers/status", "pods/log").RuleOrDie(), // read access to namespaces at the namespace scope means you can read *this* namespace. This can be used as an // indicator of which namespaces you have access to. rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("namespaces").RuleOrDie(), + rbacv1helpers.NewRule(Read...).Groups(legacyGroup, eventsGroup).Resources("events").RuleOrDie(), + rbacv1helpers.NewRule(Read...).Groups(discoveryGroup).Resources("endpointslices").RuleOrDie(), rbacv1helpers.NewRule(Read...).Groups(appsGroup).Resources( @@ -155,9 +157,11 @@ func editRules() []rbacv1.PolicyRule { rbacv1helpers.NewRule(Write...).Groups(legacyGroup).Resources("pods", "pods/attach", "pods/proxy", "pods/exec", "pods/portforward").RuleOrDie(), rbacv1helpers.NewRule("create").Groups(legacyGroup).Resources("pods/eviction").RuleOrDie(), rbacv1helpers.NewRule(Write...).Groups(legacyGroup).Resources("replicationcontrollers", "replicationcontrollers/scale", "serviceaccounts", - "services", "services/proxy", "persistentvolumeclaims", "configmaps", "secrets", "events").RuleOrDie(), + "services", "services/proxy", "persistentvolumeclaims", "configmaps", "secrets").RuleOrDie(), rbacv1helpers.NewRule("create").Groups(legacyGroup).Resources("serviceaccounts/token").RuleOrDie(), + rbacv1helpers.NewRule(Write...).Groups(legacyGroup, eventsGroup).Resources("events").RuleOrDie(), + rbacv1helpers.NewRule(Write...).Groups(appsGroup).Resources( "statefulsets", "statefulsets/scale", "daemonsets", @@ -202,7 +206,7 @@ func NodeRules() []rbacv1.PolicyRule { rbacv1helpers.NewRule("update", "patch").Groups(legacyGroup).Resources("nodes").RuleOrDie(), // TODO: restrict to the bound node as creator in the NodeRestrictions admission plugin - rbacv1helpers.NewRule("create", "update", "patch").Groups(legacyGroup).Resources("events").RuleOrDie(), + rbacv1helpers.NewRule("create", "update", "patch").Groups(legacyGroup, eventsGroup).Resources("events").RuleOrDie(), // Use the Node authorizer to limit get to pods related to the node, and to limit list/watch to field selectors related to the node. rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("pods").RuleOrDie(), diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles-featuregates.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles-featuregates.yaml index 5770acd6f23..e67bc0a313e 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles-featuregates.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles-featuregates.yaml @@ -129,7 +129,6 @@ items: - "" resources: - configmaps - - events - persistentvolumeclaims - replicationcontrollers - replicationcontrollers/scale @@ -149,6 +148,17 @@ items: - serviceaccounts/token verbs: - create + - apiGroups: + - "" + - events.k8s.io + resources: + - events + verbs: + - create + - delete + - deletecollection + - patch + - update - apiGroups: - apps resources: @@ -281,7 +291,6 @@ items: - "" resources: - bindings - - events - limitranges - namespaces/status - pods/log @@ -301,6 +310,15 @@ items: - get - list - watch + - apiGroups: + - "" + - events.k8s.io + resources: + - events + verbs: + - get + - list + - watch - apiGroups: - discovery.k8s.io resources: @@ -1087,6 +1105,7 @@ items: - update - apiGroups: - "" + - events.k8s.io resources: - events verbs: diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml index cd59a0d6447..e8e1ac600fc 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml @@ -129,7 +129,6 @@ items: - "" resources: - configmaps - - events - persistentvolumeclaims - replicationcontrollers - replicationcontrollers/scale @@ -149,6 +148,17 @@ items: - serviceaccounts/token verbs: - create + - apiGroups: + - "" + - events.k8s.io + resources: + - events + verbs: + - create + - delete + - deletecollection + - patch + - update - apiGroups: - apps resources: @@ -281,7 +291,6 @@ items: - "" resources: - bindings - - events - limitranges - namespaces/status - pods/log @@ -301,6 +310,15 @@ items: - get - list - watch + - apiGroups: + - "" + - events.k8s.io + resources: + - events + verbs: + - get + - list + - watch - apiGroups: - discovery.k8s.io resources: @@ -1047,6 +1065,7 @@ items: - update - apiGroups: - "" + - events.k8s.io resources: - events verbs: