From d657261f9ba922807ee02245a62ae26e464aa724 Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Mon, 2 Oct 2017 21:52:13 -0400 Subject: [PATCH] Add /swagger.json and /swagger-2.0.0.pb-v1 to discovery role --- .../auth/authorizer/rbac/bootstrappolicy/policy.go | 11 ++++++++++- .../rbac/bootstrappolicy/testdata/cluster-roles.yaml | 2 ++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go index 8180b6029c..bea311c7ce 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go @@ -152,7 +152,16 @@ func ClusterRoles() []rbac.ClusterRole { // a role which provides just enough power to determine if the server is ready and discover API versions for negotiation ObjectMeta: metav1.ObjectMeta{Name: "system:discovery"}, Rules: []rbac.PolicyRule{ - rbac.NewRule("get").URLs("/healthz", "/version", "/swaggerapi", "/swaggerapi/*", "/api", "/api/*", "/apis", "/apis/*").RuleOrDie(), + rbac.NewRule("get").URLs( + "/healthz", "/version", + // remove once swagger 1.2 support is removed + "/swaggerapi", "/swaggerapi/*", + // do not expand this pattern for openapi discovery docs + // move to a single openapi endpoint that takes accept/accept-encoding headers + "/swagger.json", "/swagger-2.0.0.pb-v1", + "/api", "/api/*", + "/apis", "/apis/*", + ).RuleOrDie(), }, }, { diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml index 50d3600734..4c6bf1e71a 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml @@ -434,6 +434,8 @@ items: - /apis - /apis/* - /healthz + - /swagger-2.0.0.pb-v1 + - /swagger.json - /swaggerapi - /swaggerapi/* - /version