From f794c8bcd40ad1e322e75d8bd9a999673aebada5 Mon Sep 17 00:00:00 2001 From: Damien Grisonnet Date: Mon, 9 Aug 2021 17:27:59 +0200 Subject: [PATCH] plugin: add bootstrap policy for external metrics Since external metrics were added, we weren't running the HPA with metrics REST clients by default, so we had no bootstrap policy to enable the HPA controller to talk to the external metrics API. This change adds permissions for the HPA controller to list and get external.metrics.k8s.io by default as already done for the custom.metrics.k8s.io API. Signed-off-by: Damien Grisonnet --- .../authorizer/rbac/bootstrappolicy/controller_policy.go | 3 ++- plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go | 1 + .../rbac/bootstrappolicy/testdata/controller-roles.yaml | 7 +++++++ 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go index e2e3db36c07..cbf35cfc48c 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go @@ -222,9 +222,10 @@ func buildControllerRoles() ([]rbacv1.ClusterRole, []rbacv1.ClusterRoleBinding) rbacv1helpers.NewRule("list").Groups(legacyGroup).Resources("pods").RuleOrDie(), // TODO: restrict this to the appropriate namespace rbacv1helpers.NewRule("get").Groups(legacyGroup).Resources("services/proxy").Names("https:heapster:", "http:heapster:").RuleOrDie(), - // allow listing resource metrics and custom metrics + // allow listing resource, custom, and external metrics rbacv1helpers.NewRule("list").Groups(resMetricsGroup).Resources("pods").RuleOrDie(), rbacv1helpers.NewRule("get", "list").Groups(customMetricsGroup).Resources("*").RuleOrDie(), + rbacv1helpers.NewRule("get", "list").Groups(externalMetricsGroup).Resources("*").RuleOrDie(), eventsRule(), }, }) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go index a89dfc1e96b..25f20944042 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go @@ -57,6 +57,7 @@ const ( storageGroup = "storage.k8s.io" resMetricsGroup = "metrics.k8s.io" customMetricsGroup = "custom.metrics.k8s.io" + externalMetricsGroup = "external.metrics.k8s.io" networkingGroup = "networking.k8s.io" eventsGroup = "events.k8s.io" internalAPIServerGroup = "internal.apiserver.k8s.io" diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml index 6c8491f3870..efc66ceb440 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml @@ -765,6 +765,13 @@ items: verbs: - get - list + - apiGroups: + - external.metrics.k8s.io + resources: + - '*' + verbs: + - get + - list - apiGroups: - "" - events.k8s.io