c4311ae754
This is the result of UPDATE_BOOTSTRAP_POLICY_FIXTURE_DATA=true go test k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy Apparently enabling the GenericEphemeralVolume feature by default affect this test. The policy that it now tests against is indeed the one needed for the controller.
532 lines
16 KiB
YAML
532 lines
16 KiB
YAML
apiVersion: v1
|
|
items:
|
|
- apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
annotations:
|
|
rbac.authorization.kubernetes.io/autoupdate: "true"
|
|
creationTimestamp: null
|
|
labels:
|
|
kubernetes.io/bootstrapping: rbac-defaults
|
|
name: system:controller:attachdetach-controller
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:controller:attachdetach-controller
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: attachdetach-controller
|
|
namespace: kube-system
|
|
- apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
annotations:
|
|
rbac.authorization.kubernetes.io/autoupdate: "true"
|
|
creationTimestamp: null
|
|
labels:
|
|
kubernetes.io/bootstrapping: rbac-defaults
|
|
name: system:controller:certificate-controller
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:controller:certificate-controller
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: certificate-controller
|
|
namespace: kube-system
|
|
- apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
annotations:
|
|
rbac.authorization.kubernetes.io/autoupdate: "true"
|
|
creationTimestamp: null
|
|
labels:
|
|
kubernetes.io/bootstrapping: rbac-defaults
|
|
name: system:controller:clusterrole-aggregation-controller
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:controller:clusterrole-aggregation-controller
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: clusterrole-aggregation-controller
|
|
namespace: kube-system
|
|
- apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
annotations:
|
|
rbac.authorization.kubernetes.io/autoupdate: "true"
|
|
creationTimestamp: null
|
|
labels:
|
|
kubernetes.io/bootstrapping: rbac-defaults
|
|
name: system:controller:cronjob-controller
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:controller:cronjob-controller
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: cronjob-controller
|
|
namespace: kube-system
|
|
- apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
annotations:
|
|
rbac.authorization.kubernetes.io/autoupdate: "true"
|
|
creationTimestamp: null
|
|
labels:
|
|
kubernetes.io/bootstrapping: rbac-defaults
|
|
name: system:controller:daemon-set-controller
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:controller:daemon-set-controller
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: daemon-set-controller
|
|
namespace: kube-system
|
|
- apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
annotations:
|
|
rbac.authorization.kubernetes.io/autoupdate: "true"
|
|
creationTimestamp: null
|
|
labels:
|
|
kubernetes.io/bootstrapping: rbac-defaults
|
|
name: system:controller:deployment-controller
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:controller:deployment-controller
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: deployment-controller
|
|
namespace: kube-system
|
|
- apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
annotations:
|
|
rbac.authorization.kubernetes.io/autoupdate: "true"
|
|
creationTimestamp: null
|
|
labels:
|
|
kubernetes.io/bootstrapping: rbac-defaults
|
|
name: system:controller:disruption-controller
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:controller:disruption-controller
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: disruption-controller
|
|
namespace: kube-system
|
|
- apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
annotations:
|
|
rbac.authorization.kubernetes.io/autoupdate: "true"
|
|
creationTimestamp: null
|
|
labels:
|
|
kubernetes.io/bootstrapping: rbac-defaults
|
|
name: system:controller:endpoint-controller
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:controller:endpoint-controller
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: endpoint-controller
|
|
namespace: kube-system
|
|
- apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
annotations:
|
|
rbac.authorization.kubernetes.io/autoupdate: "true"
|
|
creationTimestamp: null
|
|
labels:
|
|
kubernetes.io/bootstrapping: rbac-defaults
|
|
name: system:controller:endpointslice-controller
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:controller:endpointslice-controller
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: endpointslice-controller
|
|
namespace: kube-system
|
|
- apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
annotations:
|
|
rbac.authorization.kubernetes.io/autoupdate: "true"
|
|
creationTimestamp: null
|
|
labels:
|
|
kubernetes.io/bootstrapping: rbac-defaults
|
|
name: system:controller:endpointslicemirroring-controller
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:controller:endpointslicemirroring-controller
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: endpointslicemirroring-controller
|
|
namespace: kube-system
|
|
- apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
annotations:
|
|
rbac.authorization.kubernetes.io/autoupdate: "true"
|
|
creationTimestamp: null
|
|
labels:
|
|
kubernetes.io/bootstrapping: rbac-defaults
|
|
name: system:controller:ephemeral-volume-controller
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:controller:ephemeral-volume-controller
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: ephemeral-volume-controller
|
|
namespace: kube-system
|
|
- apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
annotations:
|
|
rbac.authorization.kubernetes.io/autoupdate: "true"
|
|
creationTimestamp: null
|
|
labels:
|
|
kubernetes.io/bootstrapping: rbac-defaults
|
|
name: system:controller:expand-controller
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:controller:expand-controller
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: expand-controller
|
|
namespace: kube-system
|
|
- apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
annotations:
|
|
rbac.authorization.kubernetes.io/autoupdate: "true"
|
|
creationTimestamp: null
|
|
labels:
|
|
kubernetes.io/bootstrapping: rbac-defaults
|
|
name: system:controller:generic-garbage-collector
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:controller:generic-garbage-collector
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: generic-garbage-collector
|
|
namespace: kube-system
|
|
- apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
annotations:
|
|
rbac.authorization.kubernetes.io/autoupdate: "true"
|
|
creationTimestamp: null
|
|
labels:
|
|
kubernetes.io/bootstrapping: rbac-defaults
|
|
name: system:controller:horizontal-pod-autoscaler
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:controller:horizontal-pod-autoscaler
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: horizontal-pod-autoscaler
|
|
namespace: kube-system
|
|
- apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
annotations:
|
|
rbac.authorization.kubernetes.io/autoupdate: "true"
|
|
creationTimestamp: null
|
|
labels:
|
|
kubernetes.io/bootstrapping: rbac-defaults
|
|
name: system:controller:job-controller
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:controller:job-controller
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: job-controller
|
|
namespace: kube-system
|
|
- apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
annotations:
|
|
rbac.authorization.kubernetes.io/autoupdate: "true"
|
|
creationTimestamp: null
|
|
labels:
|
|
kubernetes.io/bootstrapping: rbac-defaults
|
|
name: system:controller:namespace-controller
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:controller:namespace-controller
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: namespace-controller
|
|
namespace: kube-system
|
|
- apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
annotations:
|
|
rbac.authorization.kubernetes.io/autoupdate: "true"
|
|
creationTimestamp: null
|
|
labels:
|
|
kubernetes.io/bootstrapping: rbac-defaults
|
|
name: system:controller:node-controller
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:controller:node-controller
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: node-controller
|
|
namespace: kube-system
|
|
- apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
annotations:
|
|
rbac.authorization.kubernetes.io/autoupdate: "true"
|
|
creationTimestamp: null
|
|
labels:
|
|
kubernetes.io/bootstrapping: rbac-defaults
|
|
name: system:controller:persistent-volume-binder
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:controller:persistent-volume-binder
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: persistent-volume-binder
|
|
namespace: kube-system
|
|
- apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
annotations:
|
|
rbac.authorization.kubernetes.io/autoupdate: "true"
|
|
creationTimestamp: null
|
|
labels:
|
|
kubernetes.io/bootstrapping: rbac-defaults
|
|
name: system:controller:pod-garbage-collector
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:controller:pod-garbage-collector
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: pod-garbage-collector
|
|
namespace: kube-system
|
|
- apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
annotations:
|
|
rbac.authorization.kubernetes.io/autoupdate: "true"
|
|
creationTimestamp: null
|
|
labels:
|
|
kubernetes.io/bootstrapping: rbac-defaults
|
|
name: system:controller:pv-protection-controller
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:controller:pv-protection-controller
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: pv-protection-controller
|
|
namespace: kube-system
|
|
- apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
annotations:
|
|
rbac.authorization.kubernetes.io/autoupdate: "true"
|
|
creationTimestamp: null
|
|
labels:
|
|
kubernetes.io/bootstrapping: rbac-defaults
|
|
name: system:controller:pvc-protection-controller
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:controller:pvc-protection-controller
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: pvc-protection-controller
|
|
namespace: kube-system
|
|
- apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
annotations:
|
|
rbac.authorization.kubernetes.io/autoupdate: "true"
|
|
creationTimestamp: null
|
|
labels:
|
|
kubernetes.io/bootstrapping: rbac-defaults
|
|
name: system:controller:replicaset-controller
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:controller:replicaset-controller
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: replicaset-controller
|
|
namespace: kube-system
|
|
- apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
annotations:
|
|
rbac.authorization.kubernetes.io/autoupdate: "true"
|
|
creationTimestamp: null
|
|
labels:
|
|
kubernetes.io/bootstrapping: rbac-defaults
|
|
name: system:controller:replication-controller
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:controller:replication-controller
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: replication-controller
|
|
namespace: kube-system
|
|
- apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
annotations:
|
|
rbac.authorization.kubernetes.io/autoupdate: "true"
|
|
creationTimestamp: null
|
|
labels:
|
|
kubernetes.io/bootstrapping: rbac-defaults
|
|
name: system:controller:resourcequota-controller
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:controller:resourcequota-controller
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: resourcequota-controller
|
|
namespace: kube-system
|
|
- apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
annotations:
|
|
rbac.authorization.kubernetes.io/autoupdate: "true"
|
|
creationTimestamp: null
|
|
labels:
|
|
kubernetes.io/bootstrapping: rbac-defaults
|
|
name: system:controller:root-ca-cert-publisher
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:controller:root-ca-cert-publisher
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: root-ca-cert-publisher
|
|
namespace: kube-system
|
|
- apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
annotations:
|
|
rbac.authorization.kubernetes.io/autoupdate: "true"
|
|
creationTimestamp: null
|
|
labels:
|
|
kubernetes.io/bootstrapping: rbac-defaults
|
|
name: system:controller:route-controller
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:controller:route-controller
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: route-controller
|
|
namespace: kube-system
|
|
- apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
annotations:
|
|
rbac.authorization.kubernetes.io/autoupdate: "true"
|
|
creationTimestamp: null
|
|
labels:
|
|
kubernetes.io/bootstrapping: rbac-defaults
|
|
name: system:controller:service-account-controller
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:controller:service-account-controller
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: service-account-controller
|
|
namespace: kube-system
|
|
- apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
annotations:
|
|
rbac.authorization.kubernetes.io/autoupdate: "true"
|
|
creationTimestamp: null
|
|
labels:
|
|
kubernetes.io/bootstrapping: rbac-defaults
|
|
name: system:controller:service-controller
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:controller:service-controller
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: service-controller
|
|
namespace: kube-system
|
|
- apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
annotations:
|
|
rbac.authorization.kubernetes.io/autoupdate: "true"
|
|
creationTimestamp: null
|
|
labels:
|
|
kubernetes.io/bootstrapping: rbac-defaults
|
|
name: system:controller:statefulset-controller
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:controller:statefulset-controller
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: statefulset-controller
|
|
namespace: kube-system
|
|
- apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
annotations:
|
|
rbac.authorization.kubernetes.io/autoupdate: "true"
|
|
creationTimestamp: null
|
|
labels:
|
|
kubernetes.io/bootstrapping: rbac-defaults
|
|
name: system:controller:ttl-after-finished-controller
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:controller:ttl-after-finished-controller
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: ttl-after-finished-controller
|
|
namespace: kube-system
|
|
- apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
annotations:
|
|
rbac.authorization.kubernetes.io/autoupdate: "true"
|
|
creationTimestamp: null
|
|
labels:
|
|
kubernetes.io/bootstrapping: rbac-defaults
|
|
name: system:controller:ttl-controller
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:controller:ttl-controller
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: ttl-controller
|
|
namespace: kube-system
|
|
kind: List
|
|
metadata: {}
|