From c0b718373befb2168befc0c4579fd9a02155d5bc Mon Sep 17 00:00:00 2001 From: "Bobby (Babak) Salamat" Date: Thu, 24 Aug 2017 18:18:02 -0700 Subject: [PATCH] Fix RBAC rules to allow scheduler update annotations of pods. --- plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go | 3 ++- .../rbac/bootstrappolicy/testdata/cluster-roles.yaml | 8 ++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go index f69dfabd6e..04e6544106 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go @@ -330,7 +330,8 @@ func ClusterRoles() []rbac.ClusterRole { rbac.NewRule("get", "update", "patch", "delete").Groups(legacyGroup).Resources("endpoints").Names("kube-scheduler").RuleOrDie(), // fundamental resources - rbac.NewRule(Read...).Groups(legacyGroup).Resources("nodes", "pods").RuleOrDie(), + rbac.NewRule(Read...).Groups(legacyGroup).Resources("nodes").RuleOrDie(), + rbac.NewRule("get", "list", "watch", "delete").Groups(legacyGroup).Resources("pods").RuleOrDie(), rbac.NewRule("create").Groups(legacyGroup).Resources("pods/binding", "bindings").RuleOrDie(), rbac.NewRule("update").Groups(legacyGroup).Resources("pods/status").RuleOrDie(), // things that select pods diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml index 0f572371e2..b16948997c 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml @@ -580,8 +580,16 @@ items: - "" resources: - nodes + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: - pods verbs: + - delete - get - list - watch