github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #63712 from liggitt/node-deletion

Browse Source 
Automatic merge from submit-queue (batch tested with PRs 63673, 63712). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Revert "authz: nodes should not be able to delete themselves"

This reverts commit 35de82094a.

1.10 era kubelets still make use of this permission. we'll have to wait until 1.13 to remove it

xref https://github.com/kubernetes/kubernetes/issues/63505

```release-note
NONE
```
This commit is contained in:
Kubernetes Submit Queue
2018-05-11 09:00:12 -07:00
committed by GitHub
parent 6f182a1ccc 736f5e2349
commit 65f8b88f35
3 changed files with 4 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
View File

@@ -105,7 +105,7 @@ func NodeRules() []rbac.PolicyRule {
// Use the NodeRestriction admission plugin to limit a node to creating/updating its own API object.
rbac.NewRule("create", "get", "list", "watch").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
rbac.NewRule("update", "patch").Groups(legacyGroup).Resources("nodes/status").RuleOrDie(),
rbac.NewRule("update", "patch").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
rbac.NewRule("update", "patch", "delete").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
// TODO: restrict to the bound node as creator in the NodeRestrictions admission plugin
rbac.NewRule("create", "update", "patch").Groups(legacyGroup).Resources("events").RuleOrDie(),

1
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml vendored
View File

@@ -1067,6 +1067,7 @@ items:
resources:
- nodes
verbs:
- delete
- patch
- update
- apiGroups:

7
test/integration/auth/node_test.go
View File

@@ -419,8 +419,7 @@ func TestNodeAuthorizer(t *testing.T) {
expectAllowed(t, createNode2MirrorPodEviction(node2Client))
expectAllowed(t, createNode2(node2Client))
expectAllowed(t, updateNode2Status(node2Client))
// cleanup node
expectAllowed(t, deleteNode2(superuserClient))
expectAllowed(t, deleteNode2(node2Client))
// create a pod as an admin to add object references
expectAllowed(t, createNode2NormalPod(superuserClient))
@@ -510,10 +509,8 @@ func TestNodeAuthorizer(t *testing.T) {
expectAllowed(t, unsetNode2ConfigSource(superuserClient))
// node2 can no longer get the configmap after it is unassigned as its config source
expectForbidden(t, getConfigMapConfigSource(node2Client))
// node should not be able to delete itself
expectForbidden(t, deleteNode2(node2Client))
// clean up node2
expectAllowed(t, deleteNode2(superuserClient))
expectAllowed(t, deleteNode2(node2Client))
//TODO(mikedanese): integration test node restriction of TokenRequest
}