Merge pull request #56650 from danwinship/networkpolicy-rbac
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Add RBAC policies for NetworkPolicy **What this PR does / why we need it**: When using RBAC, none of the namespace-level roles currently have permission to do anything with NetworkPolicy. (Only cluster-admin does, by virtue of having permission on "*".) This fixes it so "admin" and "edit" have read/write permission, and "view" has read-only permission. I added permission for both the extensions and networking objects, which I believe is correct as long as both of them exist? (This would be nice to fix in 1.9, although it's not a regression. It's always been broken.) **Release note**: ```release-note When using Role-Based Access Control, the "admin", "edit", and "view" roles now have the expected permissions on NetworkPolicy resources. ```
This commit is contained in:
Kubernetes Submit Queue
@@ -48,6 +48,7 @@ const (
|
|||||||
storageGroup = "storage.k8s.io"
|
storageGroup = "storage.k8s.io"
|
||||||
resMetricsGroup = "metrics.k8s.io"
|
resMetricsGroup = "metrics.k8s.io"
|
||||||
customMetricsGroup = "custom.metrics.k8s.io"
|
customMetricsGroup = "custom.metrics.k8s.io"
|
||||||
|
networkingGroup = "networking.k8s.io"
|
||||||
)
|
)
|
||||||
|
|
||||||
func addDefaultMetadata(obj runtime.Object) {
|
func addDefaultMetadata(obj runtime.Object) {
|
||||||
@@ -237,10 +238,13 @@ func ClusterRoles() []rbac.ClusterRole {
|
|||||||
|
|
||||||
rbac.NewRule(ReadWrite...).Groups(extensionsGroup).Resources("daemonsets",
|
rbac.NewRule(ReadWrite...).Groups(extensionsGroup).Resources("daemonsets",
|
||||||
"deployments", "deployments/scale", "deployments/rollback", "ingresses",
|
"deployments", "deployments/scale", "deployments/rollback", "ingresses",
|
||||||
"replicasets", "replicasets/scale", "replicationcontrollers/scale").RuleOrDie(),
|
"replicasets", "replicasets/scale", "replicationcontrollers/scale",
|
||||||
|
"networkpolicies").RuleOrDie(),
|
||||||
|
|
||||||
rbac.NewRule(ReadWrite...).Groups(policyGroup).Resources("poddisruptionbudgets").RuleOrDie(),
|
rbac.NewRule(ReadWrite...).Groups(policyGroup).Resources("poddisruptionbudgets").RuleOrDie(),
|
||||||
|
|
||||||
|
rbac.NewRule(ReadWrite...).Groups(networkingGroup).Resources("networkpolicies").RuleOrDie(),
|
||||||
|
|
||||||
// additional admin powers
|
// additional admin powers
|
||||||
rbac.NewRule("create").Groups(authorizationGroup).Resources("localsubjectaccessreviews").RuleOrDie(),
|
rbac.NewRule("create").Groups(authorizationGroup).Resources("localsubjectaccessreviews").RuleOrDie(),
|
||||||
rbac.NewRule(ReadWrite...).Groups(rbacGroup).Resources("roles", "rolebindings").RuleOrDie(),
|
rbac.NewRule(ReadWrite...).Groups(rbacGroup).Resources("roles", "rolebindings").RuleOrDie(),
|
||||||
@@ -273,9 +277,12 @@ func ClusterRoles() []rbac.ClusterRole {
|
|||||||
|
|
||||||
rbac.NewRule(ReadWrite...).Groups(extensionsGroup).Resources("daemonsets",
|
rbac.NewRule(ReadWrite...).Groups(extensionsGroup).Resources("daemonsets",
|
||||||
"deployments", "deployments/scale", "deployments/rollback", "ingresses",
|
"deployments", "deployments/scale", "deployments/rollback", "ingresses",
|
||||||
"replicasets", "replicasets/scale", "replicationcontrollers/scale").RuleOrDie(),
|
"replicasets", "replicasets/scale", "replicationcontrollers/scale",
|
||||||
|
"networkpolicies").RuleOrDie(),
|
||||||
|
|
||||||
rbac.NewRule(ReadWrite...).Groups(policyGroup).Resources("poddisruptionbudgets").RuleOrDie(),
|
rbac.NewRule(ReadWrite...).Groups(policyGroup).Resources("poddisruptionbudgets").RuleOrDie(),
|
||||||
|
|
||||||
|
rbac.NewRule(ReadWrite...).Groups(networkingGroup).Resources("networkpolicies").RuleOrDie(),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@@ -301,9 +308,12 @@ func ClusterRoles() []rbac.ClusterRole {
|
|||||||
rbac.NewRule(Read...).Groups(batchGroup).Resources("jobs", "cronjobs").RuleOrDie(),
|
rbac.NewRule(Read...).Groups(batchGroup).Resources("jobs", "cronjobs").RuleOrDie(),
|
||||||
|
|
||||||
rbac.NewRule(Read...).Groups(extensionsGroup).Resources("daemonsets", "deployments", "deployments/scale",
|
rbac.NewRule(Read...).Groups(extensionsGroup).Resources("daemonsets", "deployments", "deployments/scale",
|
||||||
"ingresses", "replicasets", "replicasets/scale", "replicationcontrollers/scale").RuleOrDie(),
|
"ingresses", "replicasets", "replicasets/scale", "replicationcontrollers/scale",
|
||||||
|
"networkpolicies").RuleOrDie(),
|
||||||
|
|
||||||
rbac.NewRule(Read...).Groups(policyGroup).Resources("poddisruptionbudgets").RuleOrDie(),
|
rbac.NewRule(Read...).Groups(policyGroup).Resources("poddisruptionbudgets").RuleOrDie(),
|
||||||
|
|
||||||
|
rbac.NewRule(Read...).Groups(networkingGroup).Resources("networkpolicies").RuleOrDie(),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
|||||||
@@ -181,6 +181,7 @@ items:
|
|||||||
- deployments/rollback
|
- deployments/rollback
|
||||||
- deployments/scale
|
- deployments/scale
|
||||||
- ingresses
|
- ingresses
|
||||||
|
- networkpolicies
|
||||||
- replicasets
|
- replicasets
|
||||||
- replicasets/scale
|
- replicasets/scale
|
||||||
- replicationcontrollers/scale
|
- replicationcontrollers/scale
|
||||||
@@ -206,6 +207,19 @@ items:
|
|||||||
- patch
|
- patch
|
||||||
- update
|
- update
|
||||||
- watch
|
- watch
|
||||||
|
- apiGroups:
|
||||||
|
- networking.k8s.io
|
||||||
|
resources:
|
||||||
|
- networkpolicies
|
||||||
|
verbs:
|
||||||
|
- create
|
||||||
|
- delete
|
||||||
|
- deletecollection
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- patch
|
||||||
|
- update
|
||||||
|
- watch
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
- authorization.k8s.io
|
- authorization.k8s.io
|
||||||
resources:
|
resources:
|
||||||
@@ -359,6 +373,7 @@ items:
|
|||||||
- deployments/rollback
|
- deployments/rollback
|
||||||
- deployments/scale
|
- deployments/scale
|
||||||
- ingresses
|
- ingresses
|
||||||
|
- networkpolicies
|
||||||
- replicasets
|
- replicasets
|
||||||
- replicasets/scale
|
- replicasets/scale
|
||||||
- replicationcontrollers/scale
|
- replicationcontrollers/scale
|
||||||
@@ -384,6 +399,19 @@ items:
|
|||||||
- patch
|
- patch
|
||||||
- update
|
- update
|
||||||
- watch
|
- watch
|
||||||
|
- apiGroups:
|
||||||
|
- networking.k8s.io
|
||||||
|
resources:
|
||||||
|
- networkpolicies
|
||||||
|
verbs:
|
||||||
|
- create
|
||||||
|
- delete
|
||||||
|
- deletecollection
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- patch
|
||||||
|
- update
|
||||||
|
- watch
|
||||||
- apiVersion: rbac.authorization.k8s.io/v1
|
- apiVersion: rbac.authorization.k8s.io/v1
|
||||||
kind: ClusterRole
|
kind: ClusterRole
|
||||||
metadata:
|
metadata:
|
||||||
@@ -471,6 +499,7 @@ items:
|
|||||||
- deployments
|
- deployments
|
||||||
- deployments/scale
|
- deployments/scale
|
||||||
- ingresses
|
- ingresses
|
||||||
|
- networkpolicies
|
||||||
- replicasets
|
- replicasets
|
||||||
- replicasets/scale
|
- replicasets/scale
|
||||||
- replicationcontrollers/scale
|
- replicationcontrollers/scale
|
||||||
@@ -486,6 +515,14 @@ items:
|
|||||||
- get
|
- get
|
||||||
- list
|
- list
|
||||||
- watch
|
- watch
|
||||||
|
- apiGroups:
|
||||||
|
- networking.k8s.io
|
||||||
|
resources:
|
||||||
|
- networkpolicies
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- watch
|
||||||
- apiVersion: rbac.authorization.k8s.io/v1
|
- apiVersion: rbac.authorization.k8s.io/v1
|
||||||
kind: ClusterRole
|
kind: ClusterRole
|
||||||
metadata:
|
metadata:
|
||||||
|
|||||||
Reference in New Issue
Block a user