From f3e97d522d73a90a86e2a9fcc478e6bbde938bf6 Mon Sep 17 00:00:00 2001 From: Mike Danese Date: Fri, 13 Jan 2017 17:11:20 -0800 Subject: [PATCH] add rbac role for certificate-controller --- .../rbac/bootstrappolicy/controller_policy.go | 8 +++++ .../testdata/controller-role-bindings.yaml | 15 ++++++++ .../testdata/controller-roles.yaml | 34 +++++++++++++++++++ 3 files changed, 57 insertions(+) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go index 9db4ac40e94..5671dd61b1e 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go @@ -264,6 +264,14 @@ func init() { eventsRule(), }, }) + addControllerRole(rbac.ClusterRole{ + ObjectMeta: api.ObjectMeta{Name: saRolePrefix + "certificate-controller"}, + Rules: []rbac.PolicyRule{ + rbac.NewRule("get", "list", "watch").Groups(certificatesGroup).Resources("certificatesigningrequests").RuleOrDie(), + rbac.NewRule("update").Groups(certificatesGroup).Resources("certificatesigningrequests/status", "certificatesigningrequests/approval").RuleOrDie(), + eventsRule(), + }, + }) } // ControllerRoles returns the cluster roles used by controllers diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml index 159e6c6065c..c26ee08e794 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml @@ -15,6 +15,21 @@ items: - kind: ServiceAccount name: attachdetach-controller namespace: kube-system +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:controller:certificate-controller + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:controller:certificate-controller + subjects: + - kind: ServiceAccount + name: certificate-controller + namespace: kube-system - apiVersion: rbac.authorization.k8s.io/v1alpha1 kind: ClusterRoleBinding metadata: diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml index 2ff78c64e60..b6bd948bf40 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml @@ -51,6 +51,40 @@ items: - create - patch - update +- apiVersion: rbac.authorization.k8s.io/v1alpha1 + kind: ClusterRole + metadata: + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:controller:certificate-controller + rules: + - apiGroups: + - certificates.k8s.io + attributeRestrictions: null + resources: + - certificatesigningrequests + verbs: + - get + - list + - watch + - apiGroups: + - certificates.k8s.io + attributeRestrictions: null + resources: + - certificatesigningrequests/approval + - certificatesigningrequests/status + verbs: + - update + - apiGroups: + - "" + attributeRestrictions: null + resources: + - events + verbs: + - create + - patch + - update - apiVersion: rbac.authorization.k8s.io/v1alpha1 kind: ClusterRole metadata: