plugin: add bootstrap policy for external metrics

Since external metrics were added, we weren't running the HPA with metrics REST clients by default, so we had no bootstrap policy to enable the HPA controller to talk to the external metrics API. This change adds permissions for the HPA controller to list and get external.metrics.k8s.io by default as already done for the custom.metrics.k8s.io API. Signed-off-by: Damien Grisonnet <dgrisonn@redhat.com>
2025-07-20 18:31:15 +00:00 · 2021-08-09 17:27:59 +02:00 · 2021-08-09 17:27:59 +02:00 · f794c8bcd4
commit f794c8bcd4
parent 4b4d12f8a6
3 changed files with 10 additions and 1 deletions
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
@ -222,9 +222,10 @@ func buildControllerRoles() ([]rbacv1.ClusterRole, []rbacv1.ClusterRoleBinding)
 			rbacv1helpers.NewRule("list").Groups(legacyGroup).Resources("pods").RuleOrDie(),
 			// TODO: restrict this to the appropriate namespace
 			rbacv1helpers.NewRule("get").Groups(legacyGroup).Resources("services/proxy").Names("https:heapster:", "http:heapster:").RuleOrDie(),
-			// allow listing resource metrics and custom metrics
+			// allow listing resource, custom, and external metrics
 			rbacv1helpers.NewRule("list").Groups(resMetricsGroup).Resources("pods").RuleOrDie(),
 			rbacv1helpers.NewRule("get", "list").Groups(customMetricsGroup).Resources("*").RuleOrDie(),
+			rbacv1helpers.NewRule("get", "list").Groups(externalMetricsGroup).Resources("*").RuleOrDie(),
 			eventsRule(),
 		},
 	})
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
@ -57,6 +57,7 @@ const (
 	storageGroup           = "storage.k8s.io"
 	resMetricsGroup        = "metrics.k8s.io"
 	customMetricsGroup     = "custom.metrics.k8s.io"
+	externalMetricsGroup   = "external.metrics.k8s.io"
 	networkingGroup        = "networking.k8s.io"
 	eventsGroup            = "events.k8s.io"
 	internalAPIServerGroup = "internal.apiserver.k8s.io"
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml
@ -765,6 +765,13 @@ items:
    verbs:
    - get
    - list
+  - apiGroups:
+    - external.metrics.k8s.io
+    resources:
+    - '*'
+    verbs:
+    - get
+    - list
  - apiGroups:
    - ""
    - events.k8s.io