diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go index b00ca2c7eb..f81abc720c 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go @@ -163,6 +163,9 @@ func buildControllerRoles() ([]rbac.ClusterRole, []rbac.ClusterRoleBinding) { rbac.NewRule("list").Groups(legacyGroup).Resources("pods").RuleOrDie(), // TODO: restrict this to the appropriate namespace rbac.NewRule("get").Groups(legacyGroup).Resources("services/proxy").Names("https:heapster:", "http:heapster:").RuleOrDie(), + // allow listing resource metrics and custom metrics + rbac.NewRule("list").Groups(resMetricsGroup).Resources("pods").RuleOrDie(), + rbac.NewRule("list").Groups(customMetricsGroup).Resources("*").RuleOrDie(), eventsRule(), }, }) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy_test.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy_test.go index 8c36915f21..e1c98019bc 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy_test.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy_test.go @@ -31,11 +31,13 @@ var rolesWithAllowStar = sets.NewString( saRolePrefix+"namespace-controller", saRolePrefix+"generic-garbage-collector", saRolePrefix+"resourcequota-controller", + saRolePrefix+"horizontal-pod-autoscaler", ) // TestNoStarsForControllers confirms that no controller role has star verbs, groups, -// or resources. There are two known exceptions, namespace lifecycle and GC which have to -// delete anything +// or resources. There are three known exceptions: namespace lifecycle and GC which have to +// delete anything, and HPA, which has the power to read metrics associated +// with any object. func TestNoStarsForControllers(t *testing.T) { for _, role := range ControllerRoles() { if rolesWithAllowStar.Has(role.Name) { diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go index 04e6544106..5510701bf1 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go @@ -46,6 +46,8 @@ const ( policyGroup = "policy" rbacGroup = "rbac.authorization.k8s.io" storageGroup = "storage.k8s.io" + resMetricsGroup = "metrics.k8s.io" + customMetricsGroup = "custom.metrics.k8s.io" ) func addDefaultMetadata(obj runtime.Object) { diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml index b90d55e497..bc24fa3cf2 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml @@ -482,6 +482,18 @@ items: - services/proxy verbs: - get + - apiGroups: + - metrics.k8s.io + resources: + - pods + verbs: + - list + - apiGroups: + - custom.metrics.k8s.io + resources: + - '*' + verbs: + - list - apiGroups: - "" resources: