From 128fd8843dbdb1117f6e3702805029d72052399e Mon Sep 17 00:00:00 2001 From: Guoliang Wang Date: Thu, 26 Jul 2018 08:22:54 +0800 Subject: [PATCH] Move cloud-specific roles out of RBAC bootstrap --- .../authorizer/rbac/bootstrappolicy/policy.go | 8 ------ .../testdata/cluster-role-bindings.yaml | 17 ------------- .../testdata/cluster-roles.yaml | 25 ------------------- 3 files changed, 50 deletions(-) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go index 4c31f256f8..53e7298e5c 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go @@ -476,13 +476,6 @@ func ClusterRoles() []rbacv1.ClusterRole { rbacv1helpers.NewRule("get", "list", "watch", "create", "update", "patch").Groups(legacyGroup).Resources("events").RuleOrDie(), }, }, - { - ObjectMeta: metav1.ObjectMeta{Name: "system:aws-cloud-provider"}, - Rules: []rbacv1.PolicyRule{ - rbacv1helpers.NewRule("get", "patch").Groups(legacyGroup).Resources("nodes").RuleOrDie(), - eventsRule(), - }, - }, { // a role making the csrapprover controller approve a node client CSR ObjectMeta: metav1.ObjectMeta{Name: "system:certificates.k8s.io:certificatesigningrequests:nodeclient"}, @@ -540,7 +533,6 @@ func ClusterRoleBindings() []rbacv1.ClusterRoleBinding { rbacv1helpers.NewClusterBinding("system:kube-controller-manager").Users(user.KubeControllerManager).BindingOrDie(), rbacv1helpers.NewClusterBinding("system:kube-dns").SAs("kube-system", "kube-dns").BindingOrDie(), rbacv1helpers.NewClusterBinding("system:kube-scheduler").Users(user.KubeScheduler).BindingOrDie(), - rbacv1helpers.NewClusterBinding("system:aws-cloud-provider").SAs("kube-system", "aws-cloud-provider").BindingOrDie(), rbacv1helpers.NewClusterBinding("system:volume-scheduler").Users(user.KubeScheduler).BindingOrDie(), // This default binding of the system:node role to the system:nodes group is deprecated in 1.7 with the availability of the Node authorizer. diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml index a41fcf20c7..05e333f5d7 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml @@ -17,23 +17,6 @@ items: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:masters -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:aws-cloud-provider - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:aws-cloud-provider - subjects: - - kind: ServiceAccount - name: aws-cloud-provider - namespace: kube-system - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml index 482471b564..bfadaea207 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml @@ -355,31 +355,6 @@ items: - subjectaccessreviews verbs: - create -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:aws-cloud-provider - rules: - - apiGroups: - - "" - resources: - - nodes - verbs: - - get - - patch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: