github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Include "ingresses" in RBAC bootstrap roles

Browse Source 
The bootstrap RBAC roles "admin", "edit", and "view" should all be
able to apply their respective access verbs to the "ingresses"
resource in order to facilitate both publishing Ingress resources (for
service administrators) and consuming them (for ingress controllers).
This commit is contained in:
Steven E. Harris
2017-01-17 14:44:56 -05:00
parent 6cd0592a46
commit 0016f7f2fc
2 changed files with 9 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
View File

@@ -114,8 +114,8 @@ func ClusterRoles() []rbac.ClusterRole {
rbac.NewRule(ReadWrite...).Groups(batchGroup).Resources("jobs", "cronjobs", "scheduledjobs").RuleOrDie(),
rbac.NewRule(ReadWrite...).Groups(extensionsGroup).Resources("daemonsets", "horizontalpodautoscalers",
"replicationcontrollers/scale", "replicasets", "replicasets/scale", "deployments", "deployments/scale").RuleOrDie(),
rbac.NewRule(ReadWrite...).Groups(extensionsGroup).Resources("daemonsets", "deployments", "deployments/scale",
"horizontalpodautoscalers", "ingresses", "replicasets", "replicasets/scale", "replicationcontrollers/scale").RuleOrDie(),
// additional admin powers
rbac.NewRule("create").Groups(authorizationGroup).Resources("localsubjectaccessreviews").RuleOrDie(),
@@ -144,8 +144,8 @@ func ClusterRoles() []rbac.ClusterRole {
rbac.NewRule(ReadWrite...).Groups(batchGroup).Resources("jobs", "cronjobs", "scheduledjobs").RuleOrDie(),
rbac.NewRule(ReadWrite...).Groups(extensionsGroup).Resources("daemonsets", "horizontalpodautoscalers",
"replicationcontrollers/scale", "replicasets", "replicasets/scale", "deployments", "deployments/scale").RuleOrDie(),
rbac.NewRule(ReadWrite...).Groups(extensionsGroup).Resources("daemonsets", "deployments", "deployments/scale",
"horizontalpodautoscalers", "ingresses", "replicasets", "replicasets/scale", "replicationcontrollers/scale").RuleOrDie(),
},
},
{
@@ -167,8 +167,8 @@ func ClusterRoles() []rbac.ClusterRole {
rbac.NewRule(Read...).Groups(batchGroup).Resources("jobs", "cronjobs", "scheduledjobs").RuleOrDie(),
rbac.NewRule(Read...).Groups(extensionsGroup).Resources("daemonsets", "horizontalpodautoscalers",
"replicationcontrollers/scale", "replicasets", "replicasets/scale", "deployments", "deployments/scale").RuleOrDie(),
rbac.NewRule(Read...).Groups(extensionsGroup).Resources("daemonsets", "deployments", "deployments/scale",
"horizontalpodautoscalers", "ingresses", "replicasets", "replicasets/scale", "replicationcontrollers/scale").RuleOrDie(),
},
},
{

3
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml vendored
View File

@@ -133,6 +133,7 @@ items:
- deployments
- deployments/scale
- horizontalpodautoscalers
- ingresses
- replicasets
- replicasets/scale
- replicationcontrollers/scale
@@ -320,6 +321,7 @@ items:
- deployments
- deployments/scale
- horizontalpodautoscalers
- ingresses
- replicasets
- replicasets/scale
- replicationcontrollers/scale
@@ -717,6 +719,7 @@ items:
- deployments
- deployments/scale
- horizontalpodautoscalers
- ingresses
- replicasets
- replicasets/scale
- replicationcontrollers/scale