github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add bootstrap policy for HPA metrics REST clients 

Since we weren't running the HPA with metrics REST clients by default,
we had no bootstrap policy enabling the HPA controller to talk to the
metrics APIs.

This adds permissions for the HPA controller to talk list
pods.metrics.k8s.io, and list any resource in custom.metrics.k8s.io.
pull/6/head
Solly Ross 2017-09-15 15:16:01 -04:00
parent 9aef242a4c
commit 8cbbbac27d
4 changed files with 21 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
View File

@ -163,6 +163,9 @@ func buildControllerRoles() ([]rbac.ClusterRole, []rbac.ClusterRoleBinding) {
rbac.NewRule("list").Groups(legacyGroup).Resources("pods").RuleOrDie(), rbac.NewRule("list").Groups(legacyGroup).Resources("pods").RuleOrDie(),
// TODO: restrict this to the appropriate namespace // TODO: restrict this to the appropriate namespace
rbac.NewRule("get").Groups(legacyGroup).Resources("services/proxy").Names("https:heapster:", "http:heapster:").RuleOrDie(), rbac.NewRule("get").Groups(legacyGroup).Resources("services/proxy").Names("https:heapster:", "http:heapster:").RuleOrDie(),
// allow listing resource metrics and custom metrics
rbac.NewRule("list").Groups(resMetricsGroup).Resources("pods").RuleOrDie(),
rbac.NewRule("list").Groups(customMetricsGroup).Resources("*").RuleOrDie(),
eventsRule(), eventsRule(),
}, },
}) })

6
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy_test.go
View File

@ -31,11 +31,13 @@ var rolesWithAllowStar = sets.NewString(
saRolePrefix+"namespace-controller", saRolePrefix+"namespace-controller",
saRolePrefix+"generic-garbage-collector", saRolePrefix+"generic-garbage-collector",
saRolePrefix+"resourcequota-controller", saRolePrefix+"resourcequota-controller",
saRolePrefix+"horizontal-pod-autoscaler",
) )
// TestNoStarsForControllers confirms that no controller role has star verbs, groups, // TestNoStarsForControllers confirms that no controller role has star verbs, groups,
// or resources. There are two known exceptions, namespace lifecycle and GC which have to // or resources. There are three known exceptions: namespace lifecycle and GC which have to
// delete anything // delete anything, and HPA, which has the power to read metrics associated
// with any object.
func TestNoStarsForControllers(t *testing.T) { func TestNoStarsForControllers(t *testing.T) {
for _, role := range ControllerRoles() { for _, role := range ControllerRoles() {
if rolesWithAllowStar.Has(role.Name) { if rolesWithAllowStar.Has(role.Name) {

2
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
View File

@ -46,6 +46,8 @@ const (
policyGroup = "policy" policyGroup = "policy"
rbacGroup = "rbac.authorization.k8s.io" rbacGroup = "rbac.authorization.k8s.io"
storageGroup = "storage.k8s.io" storageGroup = "storage.k8s.io"
resMetricsGroup = "metrics.k8s.io"
customMetricsGroup = "custom.metrics.k8s.io"
) )
func addDefaultMetadata(obj runtime.Object) { func addDefaultMetadata(obj runtime.Object) {

12
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml vendored
View File

@ -482,6 +482,18 @@ items:
- services/proxy - services/proxy
verbs: verbs:
- get - get
- apiGroups:
- metrics.k8s.io
resources:
- pods
verbs:
- list
- apiGroups:
- custom.metrics.k8s.io
resources:
- '*'
verbs:
- list
- apiGroups: - apiGroups:
- "" - ""
resources: resources: