diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/namespace_policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/namespace_policy.go index 31ca13db52..b2983c44e4 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/namespace_policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/namespace_policy.go @@ -23,6 +23,7 @@ import ( rbacv1 "k8s.io/api/rbac/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apiserver/pkg/authentication/user" rbacv1helpers "k8s.io/kubernetes/pkg/apis/rbac/v1" ) @@ -119,10 +120,15 @@ func init() { rbacv1helpers.NewRule("get", "update").Groups(legacyGroup).Resources("configmaps").Names("kube-scheduler").RuleOrDie(), }, }) + + delegatedAuthBinding := rbacv1helpers.NewRoleBinding("extension-apiserver-authentication-reader", metav1.NamespaceSystem).Users(user.KubeControllerManager, user.KubeScheduler).BindingOrDie() + delegatedAuthBinding.Name = "system::extension-apiserver-authentication-reader" + addNamespaceRoleBinding(metav1.NamespaceSystem, delegatedAuthBinding) + addNamespaceRoleBinding(metav1.NamespaceSystem, - rbacv1helpers.NewRoleBinding("system::leader-locking-kube-controller-manager", metav1.NamespaceSystem).SAs(metav1.NamespaceSystem, "kube-controller-manager").BindingOrDie()) + rbacv1helpers.NewRoleBinding("system::leader-locking-kube-controller-manager", metav1.NamespaceSystem).Users(user.KubeControllerManager).SAs(metav1.NamespaceSystem, "kube-controller-manager").BindingOrDie()) addNamespaceRoleBinding(metav1.NamespaceSystem, - rbacv1helpers.NewRoleBinding("system::leader-locking-kube-scheduler", metav1.NamespaceSystem).SAs(metav1.NamespaceSystem, "kube-scheduler").BindingOrDie()) + rbacv1helpers.NewRoleBinding("system::leader-locking-kube-scheduler", metav1.NamespaceSystem).Users(user.KubeScheduler).SAs(metav1.NamespaceSystem, "kube-scheduler").BindingOrDie()) addNamespaceRoleBinding(metav1.NamespaceSystem, rbacv1helpers.NewRoleBinding(saRolePrefix+"bootstrap-signer", metav1.NamespaceSystem).SAs(metav1.NamespaceSystem, "bootstrap-signer").BindingOrDie()) // cloud-provider is deprecated starting Kubernetes 1.10 and will be deleted according to GA deprecation policy. diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go index 6f5ebcac80..6366dc1c83 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go @@ -402,6 +402,7 @@ func ClusterRoles() []rbacv1.ClusterRole { rbacv1helpers.NewRule("update").Groups(legacyGroup).Resources("endpoints", "secrets", "serviceaccounts").RuleOrDie(), // Needed to check API access. These creates are non-mutating rbacv1helpers.NewRule("create").Groups(authenticationGroup).Resources("tokenreviews").RuleOrDie(), + rbacv1helpers.NewRule("create").Groups(authorizationGroup).Resources("subjectaccessreviews").RuleOrDie(), // Needed for all shared informers rbacv1helpers.NewRule("list", "watch").Groups("*").Resources("*").RuleOrDie(), }, @@ -429,6 +430,9 @@ func ClusterRoles() []rbacv1.ClusterRole { // things that pods use or applies to them rbacv1helpers.NewRule(Read...).Groups(policyGroup).Resources("poddisruptionbudgets").RuleOrDie(), rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("persistentvolumeclaims", "persistentvolumes").RuleOrDie(), + // Needed to check API access. These creates are non-mutating + rbacv1helpers.NewRule("create").Groups(authenticationGroup).Resources("tokenreviews").RuleOrDie(), + rbacv1helpers.NewRule("create").Groups(authorizationGroup).Resources("subjectaccessreviews").RuleOrDie(), }, }, { diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml index ea35a1b4b4..f00ff04eb6 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml @@ -658,6 +658,12 @@ items: - tokenreviews verbs: - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create - apiGroups: - '*' resources: @@ -792,6 +798,18 @@ items: - get - list - watch + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/namespace-role-bindings.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/namespace-role-bindings.yaml index f0e126d1e8..01216c1cd5 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/namespace-role-bindings.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/namespace-role-bindings.yaml @@ -18,6 +18,27 @@ items: - kind: ServiceAccount name: bootstrap-signer namespace: kube-system +- apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system::extension-apiserver-authentication-reader + namespace: kube-system + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: User + name: system:kube-controller-manager + - apiGroup: rbac.authorization.k8s.io + kind: User + name: system:kube-scheduler - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -33,6 +54,9 @@ items: kind: Role name: system::leader-locking-kube-controller-manager subjects: + - apiGroup: rbac.authorization.k8s.io + kind: User + name: system:kube-controller-manager - kind: ServiceAccount name: kube-controller-manager namespace: kube-system @@ -51,6 +75,9 @@ items: kind: Role name: system::leader-locking-kube-scheduler subjects: + - apiGroup: rbac.authorization.k8s.io + kind: User + name: system:kube-scheduler - kind: ServiceAccount name: kube-scheduler namespace: kube-system diff --git a/test/integration/serving/BUILD b/test/integration/serving/BUILD index 24fe855f3e..9479790620 100644 --- a/test/integration/serving/BUILD +++ b/test/integration/serving/BUILD @@ -22,11 +22,8 @@ go_test( "//cmd/kube-controller-manager/app/testing:go_default_library", "//cmd/kube-scheduler/app/testing:go_default_library", "//pkg/cloudprovider/providers/fake:go_default_library", - "//staging/src/k8s.io/api/rbac/v1:go_default_library", - "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//staging/src/k8s.io/apiserver/pkg/server:go_default_library", "//staging/src/k8s.io/apiserver/pkg/server/options:go_default_library", - "//staging/src/k8s.io/client-go/kubernetes:go_default_library", "//staging/src/k8s.io/cloud-provider:go_default_library", "//test/integration/framework:go_default_library", ], diff --git a/test/integration/serving/serving_test.go b/test/integration/serving/serving_test.go index 668e1c2645..1e5ce9fb04 100644 --- a/test/integration/serving/serving_test.go +++ b/test/integration/serving/serving_test.go @@ -28,11 +28,8 @@ import ( "strings" "testing" - rbacv1 "k8s.io/api/rbac/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apiserver/pkg/server" "k8s.io/apiserver/pkg/server/options" - "k8s.io/client-go/kubernetes" "k8s.io/cloud-provider" cloudctrlmgrtesting "k8s.io/kubernetes/cmd/cloud-controller-manager/app/testing" kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing" @@ -49,6 +46,8 @@ type componentTester interface { type kubeControllerManagerTester struct{} func (kubeControllerManagerTester) StartTestServer(t kubectrlmgrtesting.Logger, customFlags []string) (*options.SecureServingOptionsWithLoopback, *server.SecureServingInfo, *server.DeprecatedInsecureServingInfo, func(), error) { + // avoid starting any controller loops, we're just testing serving + customFlags = append([]string{"--controllers="}, customFlags...) gotResult, err := kubectrlmgrtesting.StartTestServer(t, customFlags) if err != nil { return nil, nil, nil, nil, err @@ -96,7 +95,7 @@ func TestComponentSecureServingAndAuth(t *testing.T) { t.Fatal(err) } tokenFile.WriteString(fmt.Sprintf(` -%s,controller-manager,controller-manager,"" +%s,system:kube-controller-manager,system:kube-controller-manager,"" `, token)) tokenFile.Close() @@ -107,44 +106,6 @@ func TestComponentSecureServingAndAuth(t *testing.T) { }, framework.SharedEtcd()) defer server.TearDownFn() - // allow controller-manager to do SubjectAccessReview - client, err := kubernetes.NewForConfig(server.ClientConfig) - if err != nil { - t.Fatalf("unexpected error creating client config: %v", err) - } - _, err = client.RbacV1().ClusterRoleBindings().Create(&rbacv1.ClusterRoleBinding{ - ObjectMeta: metav1.ObjectMeta{Name: "controller-manager:system:auth-delegator"}, - Subjects: []rbacv1.Subject{{ - Kind: "User", - Name: "controller-manager", - }}, - RoleRef: rbacv1.RoleRef{ - APIGroup: "rbac.authorization.k8s.io", - Kind: "ClusterRole", - Name: "system:auth-delegator", - }, - }) - if err != nil { - t.Fatalf("failed to create system:auth-delegator rbac cluster role binding: %v", err) - } - - // allow controller-manager to read kube-system/extension-apiserver-authentication - _, err = client.RbacV1().RoleBindings("kube-system").Create(&rbacv1.RoleBinding{ - ObjectMeta: metav1.ObjectMeta{Name: "controller-manager:extension-apiserver-authentication-reader"}, - Subjects: []rbacv1.Subject{{ - Kind: "User", - Name: "controller-manager", - }}, - RoleRef: rbacv1.RoleRef{ - APIGroup: "rbac.authorization.k8s.io", - Kind: "Role", - Name: "extension-apiserver-authentication-reader", - }, - }) - if err != nil { - t.Fatalf("failed to create controller-manager:extension-apiserver-authentication-reader rbac role binding: %v", err) - } - // create kubeconfig for the apiserver apiserverConfig, err := ioutil.TempFile("", "kubeconfig") if err != nil {