Merge pull request #42259 from deads2k/rbac-07-reconcile-binding

Automatic merge from submit-queue Add RBAC roles for bootstrap controllers Supercedes https://github.com/kubernetes/kubernetes/pull/42221 When locking down controllers to individual RBAC roles we need to make sure that the bootstrap controllers have the right permissions. This adds the roles and bindings at the correct namespace scopes for the bootstrap-signer and token-cleaner controllers. @liggitt ptal @jbeda @luxas you got a good way to test this? It must not be covered in normal e2e or we'd've seen the issue before.
2017-03-01 16:57:51 -08:00
parent 5c168e2d58 1cb582a03a
commit 01bfbb5fa0
15 changed files with 635 additions and 106 deletions
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy_test.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy_test.go
@@ -187,6 +187,28 @@ func TestBootstrapNamespaceRoles(t *testing.T) {
 	testObjects(t, list, "namespace-roles.yaml")
 }

+func TestBootstrapNamespaceRoleBindings(t *testing.T) {
+	list := &api.List{}
+	names := sets.NewString()
+	roleBindings := map[string]runtime.Object{}
+
+	namespaceRoleBindings := bootstrappolicy.NamespaceRoleBindings()
+	for _, namespace := range sets.StringKeySet(namespaceRoleBindings).List() {
+		bootstrapRoleBindings := namespaceRoleBindings[namespace]
+		for i := range bootstrapRoleBindings {
+			roleBinding := bootstrapRoleBindings[i]
+			names.Insert(roleBinding.Name)
+			roleBindings[roleBinding.Name] = &roleBinding
+		}
+
+		for _, name := range names.List() {
+			list.Items = append(list.Items, roleBindings[name])
+		}
+	}
+
+	testObjects(t, list, "namespace-role-bindings.yaml")
+}
+
 func TestBootstrapClusterRoles(t *testing.T) {
 	list := &api.List{}
 	names := sets.NewString()