diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go index 5509788f09d..44d39c9d9c3 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go @@ -45,6 +45,7 @@ const ( autoscalingGroup = "autoscaling" batchGroup = "batch" certificatesGroup = "certificates.k8s.io" + coordinationGroup = "coordination.k8s.io" discoveryGroup = "discovery.k8s.io" extensionsGroup = "extensions" policyGroup = "policy" @@ -172,7 +173,7 @@ func NodeRules() []rbacv1.PolicyRule { // Node leases if utilfeature.DefaultFeatureGate.Enabled(features.NodeLease) { - nodePolicyRules = append(nodePolicyRules, rbacv1helpers.NewRule("get", "create", "update", "patch", "delete").Groups("coordination.k8s.io").Resources("leases").RuleOrDie()) + nodePolicyRules = append(nodePolicyRules, rbacv1helpers.NewRule("get", "create", "update", "patch", "delete").Groups(coordinationGroup).Resources("leases").RuleOrDie()) } // RuntimeClass @@ -394,10 +395,17 @@ func ClusterRoles() []rbacv1.ClusterRole { ObjectMeta: metav1.ObjectMeta{Name: "system:kube-controller-manager"}, Rules: []rbacv1.PolicyRule{ eventsRule(), - rbacv1helpers.NewRule("create").Groups(legacyGroup).Resources("endpoints", "secrets", "serviceaccounts").RuleOrDie(), + // Needed for leader election. + rbacv1helpers.NewRule("create").Groups(coordinationGroup).Resources("leases").RuleOrDie(), + rbacv1helpers.NewRule("get", "update").Groups(coordinationGroup).Resources("leases").Names("kube-controller-manager").RuleOrDie(), + // TODO: Remove once we fully migrate to lease in leader-election. + rbacv1helpers.NewRule("create").Groups(legacyGroup).Resources("endpoints").RuleOrDie(), + rbacv1helpers.NewRule("get", "update").Groups(legacyGroup).Resources("endpoints").Names("kube-controller-manager").RuleOrDie(), + // Fundamental resources. + rbacv1helpers.NewRule("create").Groups(legacyGroup).Resources("secrets", "serviceaccounts").RuleOrDie(), rbacv1helpers.NewRule("delete").Groups(legacyGroup).Resources("secrets").RuleOrDie(), - rbacv1helpers.NewRule("get").Groups(legacyGroup).Resources("endpoints", "namespaces", "secrets", "serviceaccounts", "configmaps").RuleOrDie(), - rbacv1helpers.NewRule("update").Groups(legacyGroup).Resources("endpoints", "secrets", "serviceaccounts").RuleOrDie(), + rbacv1helpers.NewRule("get").Groups(legacyGroup).Resources("namespaces", "secrets", "serviceaccounts", "configmaps").RuleOrDie(), + rbacv1helpers.NewRule("update").Groups(legacyGroup).Resources("secrets", "serviceaccounts").RuleOrDie(), // Needed to check API access. These creates are non-mutating rbacv1helpers.NewRule("create").Groups(authenticationGroup).Resources("tokenreviews").RuleOrDie(), rbacv1helpers.NewRule("create").Groups(authorizationGroup).Resources("subjectaccessreviews").RuleOrDie(), @@ -471,8 +479,11 @@ func ClusterRoles() []rbacv1.ClusterRole { eventsRule(), // This is for leaderlease access // TODO: scope this to the kube-system namespace + rbacv1helpers.NewRule("create").Groups(coordinationGroup).Resources("leases").RuleOrDie(), + rbacv1helpers.NewRule("get", "update").Groups(coordinationGroup).Resources("leases").Names("kube-scheduler").RuleOrDie(), + // TODO: Remove once we fully migrate to lease in leader-election. rbacv1helpers.NewRule("create").Groups(legacyGroup).Resources("endpoints").RuleOrDie(), - rbacv1helpers.NewRule("get", "update", "patch", "delete").Groups(legacyGroup).Resources("endpoints").Names("kube-scheduler").RuleOrDie(), + rbacv1helpers.NewRule("get", "update").Groups(legacyGroup).Resources("endpoints").Names("kube-scheduler").RuleOrDie(), // Fundamental resources rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("nodes").RuleOrDie(), diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml index e276d15717b..6d4c4c9f356 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml @@ -510,10 +510,39 @@ items: - create - patch - update + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - apiGroups: + - coordination.k8s.io + resourceNames: + - kube-controller-manager + resources: + - leases + verbs: + - get + - update - apiGroups: - "" resources: - endpoints + verbs: + - create + - apiGroups: + - "" + resourceNames: + - kube-controller-manager + resources: + - endpoints + verbs: + - get + - update + - apiGroups: + - "" + resources: - secrets - serviceaccounts verbs: @@ -528,7 +557,6 @@ items: - "" resources: - configmaps - - endpoints - namespaces - secrets - serviceaccounts @@ -537,7 +565,6 @@ items: - apiGroups: - "" resources: - - endpoints - secrets - serviceaccounts verbs: @@ -604,6 +631,21 @@ items: - create - patch - update + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - apiGroups: + - coordination.k8s.io + resourceNames: + - kube-scheduler + resources: + - leases + verbs: + - get + - update - apiGroups: - "" resources: @@ -617,9 +659,7 @@ items: resources: - endpoints verbs: - - delete - get - - patch - update - apiGroups: - ""