From 1cb582a03a13f4968366cb745e763ed490d12fef Mon Sep 17 00:00:00 2001 From: deads2k Date: Tue, 28 Feb 2017 11:36:53 -0500 Subject: [PATCH] add roles and bindings for bootstrap controllers --- .../rbac/bootstrappolicy/namespace_policy.go | 32 ++++++++ .../testdata/namespace-role-bindings.yaml | 56 ++++++++++++- .../testdata/namespace-roles.yaml | 82 +++++++++++++++++++ .../k8s.io/client-go/pkg/apis/rbac/helpers.go | 16 ++++ 4 files changed, 185 insertions(+), 1 deletion(-) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/namespace_policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/namespace_policy.go index f0370de76e..469d7eb10e 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/namespace_policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/namespace_policy.go @@ -78,6 +78,38 @@ func init() { rbac.NewRule("get").Groups(legacyGroup).Resources("configmaps").Names("extension-apiserver-authentication").RuleOrDie(), }, }) + addNamespaceRole(metav1.NamespaceSystem, rbac.Role{ + // role for the bootstrap signer to be able to inspect kube-system secrets + ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "bootstrap-signer"}, + Rules: []rbac.PolicyRule{ + rbac.NewRule("get", "list", "watch").Groups(legacyGroup).Resources("secrets").RuleOrDie(), + }, + }) + addNamespaceRole(metav1.NamespaceSystem, rbac.Role{ + // role for the token-cleaner to be able to remove secrets, but only in kube-system + ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "token-cleaner"}, + Rules: []rbac.PolicyRule{ + rbac.NewRule("get", "list", "watch", "delete").Groups(legacyGroup).Resources("secrets").RuleOrDie(), + eventsRule(), + }, + }) + addNamespaceRoleBinding(metav1.NamespaceSystem, + rbac.NewRoleBinding(saRolePrefix+"bootstrap-signer", metav1.NamespaceSystem).SAs(metav1.NamespaceSystem, "bootstrap-signer").BindingOrDie()) + addNamespaceRoleBinding(metav1.NamespaceSystem, + rbac.NewRoleBinding(saRolePrefix+"token-cleaner", metav1.NamespaceSystem).SAs(metav1.NamespaceSystem, "token-cleaner").BindingOrDie()) + + addNamespaceRole(metav1.NamespacePublic, rbac.Role{ + // role for the bootstrap signer to be able to write its configmap + ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "bootstrap-signer"}, + Rules: []rbac.PolicyRule{ + rbac.NewRule("get", "list", "watch").Groups(legacyGroup).Resources("configmaps").RuleOrDie(), + rbac.NewRule("update").Groups(legacyGroup).Resources("configmaps").Names("cluster-info").RuleOrDie(), + eventsRule(), + }, + }) + addNamespaceRoleBinding(metav1.NamespacePublic, + rbac.NewRoleBinding(saRolePrefix+"bootstrap-signer", metav1.NamespacePublic).SAs(metav1.NamespaceSystem, "bootstrap-signer").BindingOrDie()) + } // NamespaceRoles returns a map of namespace to slice of roles to create diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/namespace-role-bindings.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/namespace-role-bindings.yaml index 1668104b64..d14b53bcdb 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/namespace-role-bindings.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/namespace-role-bindings.yaml @@ -1,4 +1,58 @@ apiVersion: v1 -items: null +items: +- apiVersion: rbac.authorization.k8s.io/v1beta1 + kind: RoleBinding + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:controller:bootstrap-signer + namespace: kube-public + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: system:controller:bootstrap-signer + subjects: + - kind: ServiceAccount + name: bootstrap-signer + namespace: kube-system +- apiVersion: rbac.authorization.k8s.io/v1beta1 + kind: RoleBinding + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:controller:bootstrap-signer + namespace: kube-system + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: system:controller:bootstrap-signer + subjects: + - kind: ServiceAccount + name: bootstrap-signer + namespace: kube-system +- apiVersion: rbac.authorization.k8s.io/v1beta1 + kind: RoleBinding + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:controller:token-cleaner + namespace: kube-system + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: system:controller:token-cleaner + subjects: + - kind: ServiceAccount + name: token-cleaner + namespace: kube-system kind: List metadata: {} diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/namespace-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/namespace-roles.yaml index 6f78b9a076..bd1a26045d 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/namespace-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/namespace-roles.yaml @@ -1,5 +1,40 @@ apiVersion: v1 items: +- apiVersion: rbac.authorization.k8s.io/v1beta1 + kind: Role + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:controller:bootstrap-signer + namespace: kube-public + rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - "" + resourceNames: + - cluster-info + resources: + - configmaps + verbs: + - update + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - update - apiVersion: rbac.authorization.k8s.io/v1beta1 kind: Role metadata: @@ -19,5 +54,52 @@ items: - configmaps verbs: - get +- apiVersion: rbac.authorization.k8s.io/v1beta1 + kind: Role + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:controller:bootstrap-signer + namespace: kube-system + rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiVersion: rbac.authorization.k8s.io/v1beta1 + kind: Role + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:controller:token-cleaner + namespace: kube-system + rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - delete + - get + - list + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - update kind: List metadata: {} diff --git a/staging/src/k8s.io/client-go/pkg/apis/rbac/helpers.go b/staging/src/k8s.io/client-go/pkg/apis/rbac/helpers.go index 24310d9d72..a2ec9e8a53 100644 --- a/staging/src/k8s.io/client-go/pkg/apis/rbac/helpers.go +++ b/staging/src/k8s.io/client-go/pkg/apis/rbac/helpers.go @@ -279,6 +279,22 @@ func NewRoleBinding(roleName, namespace string) *RoleBindingBuilder { } } +func NewRoleBindingForClusterRole(roleName, namespace string) *RoleBindingBuilder { + return &RoleBindingBuilder{ + RoleBinding: RoleBinding{ + ObjectMeta: metav1.ObjectMeta{ + Name: roleName, + Namespace: namespace, + }, + RoleRef: RoleRef{ + APIGroup: GroupName, + Kind: "ClusterRole", + Name: roleName, + }, + }, + } +} + // Groups adds the specified groups as the subjects of the RoleBinding. func (r *RoleBindingBuilder) Groups(groups ...string) *RoleBindingBuilder { for _, group := range groups {