github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix RBAC of generic ephemeral volumes controller

Browse Source 
The controller must be able to "update" finalizers of all pods to make
OwnerReferencesPermissionEnforcement admission plugin happy.
This commit is contained in:
Jan Safranek
2021-04-16 11:01:13 +02:00
parent 898bb9666c
commit cfbe5f1891
2 changed files with 7 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
View File

@@ -198,6 +198,7 @@ func buildControllerRoles() ([]rbacv1.ClusterRole, []rbacv1.ClusterRoleBinding)
ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "ephemeral-volume-controller"},
Rules: []rbacv1.PolicyRule{
rbacv1helpers.NewRule("get", "list", "watch").Groups(legacyGroup).Resources("pods").RuleOrDie(),
rbacv1helpers.NewRule("update").Groups(legacyGroup).Resources("pods/finalizers").RuleOrDie(),
rbacv1helpers.NewRule("get", "list", "watch", "create").Groups(legacyGroup).Resources("persistentvolumeclaims").RuleOrDie(),
eventsRule(),
},