From 160ad4580f11ebfddeeb6deefd0b035340c9d8a2 Mon Sep 17 00:00:00 2001 From: David Eads Date: Tue, 14 Aug 2018 11:43:18 -0400 Subject: [PATCH 1/2] generated --- .../bootstrap_cluster_role_bindings.yaml | 611 +-- .../bootstrap_cluster_roles.yaml | 1260 +----- .../bootstrap_policy_file.yaml | 3445 ++++------------- 3 files changed, 829 insertions(+), 4487 deletions(-) diff --git a/test/testdata/bootstrappolicy/bootstrap_cluster_role_bindings.yaml b/test/testdata/bootstrappolicy/bootstrap_cluster_role_bindings.yaml index 3877b09e41ec..de7d8a0c8d17 100644 --- a/test/testdata/bootstrappolicy/bootstrap_cluster_role_bindings.yaml +++ b/test/testdata/bootstrappolicy/bootstrap_cluster_role_bindings.yaml @@ -204,11 +204,11 @@ items: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: null - name: system:discovery-binding + name: system:openshift:discovery roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: system:discovery + name: system:openshift:discovery subjects: - apiGroup: rbac.authorization.k8s.io kind: Group @@ -311,442 +311,11 @@ items: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:attachdetach-controller - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:controller:attachdetach-controller - subjects: - - kind: ServiceAccount - name: attachdetach-controller - namespace: kube-system -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:clusterrole-aggregation-controller - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:controller:clusterrole-aggregation-controller - subjects: - - kind: ServiceAccount - name: clusterrole-aggregation-controller - namespace: kube-system -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:cronjob-controller - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:controller:cronjob-controller - subjects: - - kind: ServiceAccount - name: cronjob-controller - namespace: kube-system -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:daemon-set-controller - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:controller:daemon-set-controller - subjects: - - kind: ServiceAccount - name: daemon-set-controller - namespace: kube-system -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:deployment-controller - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:controller:deployment-controller - subjects: - - kind: ServiceAccount - name: deployment-controller - namespace: kube-system -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:disruption-controller - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:controller:disruption-controller - subjects: - - kind: ServiceAccount - name: disruption-controller - namespace: kube-system -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:endpoint-controller - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:controller:endpoint-controller - subjects: - - kind: ServiceAccount - name: endpoint-controller - namespace: kube-system -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:expand-controller - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:controller:expand-controller - subjects: - - kind: ServiceAccount - name: expand-controller - namespace: kube-system -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:generic-garbage-collector - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:controller:generic-garbage-collector - subjects: - - kind: ServiceAccount - name: generic-garbage-collector - namespace: kube-system -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:horizontal-pod-autoscaler - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:controller:horizontal-pod-autoscaler - subjects: - - kind: ServiceAccount - name: horizontal-pod-autoscaler - namespace: kube-system -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:job-controller - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:controller:job-controller - subjects: - - kind: ServiceAccount - name: job-controller - namespace: kube-system -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:namespace-controller - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:controller:namespace-controller - subjects: - - kind: ServiceAccount - name: namespace-controller - namespace: kube-system -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:node-controller - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:controller:node-controller - subjects: - - kind: ServiceAccount - name: node-controller - namespace: kube-system -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:persistent-volume-binder - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:controller:persistent-volume-binder - subjects: - - kind: ServiceAccount - name: persistent-volume-binder - namespace: kube-system -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:pod-garbage-collector - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:controller:pod-garbage-collector - subjects: - - kind: ServiceAccount - name: pod-garbage-collector - namespace: kube-system -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:replicaset-controller - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:controller:replicaset-controller - subjects: - - kind: ServiceAccount - name: replicaset-controller - namespace: kube-system -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:replication-controller - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:controller:replication-controller - subjects: - - kind: ServiceAccount - name: replication-controller - namespace: kube-system -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:resourcequota-controller - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:controller:resourcequota-controller - subjects: - - kind: ServiceAccount - name: resourcequota-controller - namespace: kube-system -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:route-controller - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:controller:route-controller - subjects: - - kind: ServiceAccount - name: route-controller - namespace: kube-system -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:service-account-controller - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:controller:service-account-controller - subjects: - - kind: ServiceAccount - name: service-account-controller - namespace: kube-system -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:service-controller - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:controller:service-controller - subjects: - - kind: ServiceAccount - name: service-controller - namespace: kube-system -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:statefulset-controller - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:controller:statefulset-controller - subjects: - - kind: ServiceAccount - name: statefulset-controller - namespace: kube-system -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:ttl-controller - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:controller:ttl-controller - subjects: - - kind: ServiceAccount - name: ttl-controller - namespace: kube-system -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:certificate-controller - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:controller:certificate-controller - subjects: - - kind: ServiceAccount - name: certificate-controller - namespace: kube-system -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:pvc-protection-controller - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:controller:pvc-protection-controller - subjects: - - kind: ServiceAccount - name: pvc-protection-controller - namespace: kube-system -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:pv-protection-controller + name: system:discovery-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: system:controller:pv-protection-controller - subjects: - - kind: ServiceAccount - name: pv-protection-controller - namespace: kube-system + name: system:discovery - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -1182,177 +751,5 @@ items: - kind: ServiceAccount name: namespace-security-allocation-controller namespace: openshift-infra -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: cluster-admin - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin - subjects: - - apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:masters -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:discovery - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:discovery - subjects: - - apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:authenticated - - apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:unauthenticated -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:basic-user - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:basic-user - subjects: - - apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:authenticated - - apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:unauthenticated -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:node-proxier - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:node-proxier - subjects: - - apiGroup: rbac.authorization.k8s.io - kind: User - name: system:kube-proxy -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:kube-controller-manager - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:kube-controller-manager - subjects: - - apiGroup: rbac.authorization.k8s.io - kind: User - name: system:kube-controller-manager -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:kube-dns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:kube-dns - subjects: - - kind: ServiceAccount - name: kube-dns - namespace: kube-system -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:kube-scheduler - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:kube-scheduler - subjects: - - apiGroup: rbac.authorization.k8s.io - kind: User - name: system:kube-scheduler -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:aws-cloud-provider - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:aws-cloud-provider - subjects: - - kind: ServiceAccount - name: aws-cloud-provider - namespace: kube-system -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:node - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:node -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:volume-scheduler - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:volume-scheduler - subjects: - - apiGroup: rbac.authorization.k8s.io - kind: User - name: system:kube-scheduler kind: List metadata: {} diff --git a/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml b/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml index 2a2d7c6611d0..638d46560001 100644 --- a/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml +++ b/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml @@ -1,27 +1,5 @@ apiVersion: v1 items: -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - openshift.io/description: A super-user that can perform any action in the cluster. - When granted to a user within a project, they have full control over quota - and membership and can perform every action on every resource in the project. - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - name: cluster-admin - rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - '*' - - nonResourceURLs: - - '*' - verbs: - - '*' - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -1954,7 +1932,7 @@ items: authorization.openshift.io/system-only: "true" rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: null - name: system:discovery + name: system:openshift:discovery rules: - nonResourceURLs: - /version @@ -3496,66 +3474,7 @@ items: creationTimestamp: null labels: kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:attachdetach-controller - rules: - - apiGroups: - - "" - resources: - - persistentvolumeclaims - - persistentvolumes - verbs: - - list - - watch - - apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - nodes/status - verbs: - - patch - - update - - apiGroups: - - "" - resources: - - pods - verbs: - - list - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update - - apiGroups: - - storage.k8s.io - resources: - - volumeattachments - verbs: - - create - - delete - - get - - list - - watch -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:clusterrole-aggregation-controller + name: cluster-admin rules: - apiGroups: - '*' @@ -3576,1169 +3495,24 @@ items: creationTimestamp: null labels: kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:cronjob-controller - rules: - - apiGroups: - - batch - resources: - - cronjobs - verbs: - - get - - list - - update - - watch - - apiGroups: - - batch - resources: - - jobs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - batch - resources: - - cronjobs/status - verbs: - - update - - apiGroups: - - batch - resources: - - cronjobs/finalizers - verbs: - - update - - apiGroups: - - "" - resources: - - pods - verbs: - - delete - - list - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:daemon-set-controller - rules: - - apiGroups: - - apps - - extensions - resources: - - daemonsets - verbs: - - get - - list - - watch - - apiGroups: - - apps - - extensions - resources: - - daemonsets/status - verbs: - - update - - apiGroups: - - apps - - extensions - resources: - - daemonsets/finalizers - verbs: - - update - - apiGroups: - - "" - resources: - - nodes - verbs: - - list - - watch - - apiGroups: - - "" - resources: - - pods - verbs: - - create - - delete - - list - - patch - - watch - - apiGroups: - - "" - resources: - - pods/binding - verbs: - - create - - apiGroups: - - apps - resources: - - controllerrevisions - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:deployment-controller + name: system:discovery rules: - - apiGroups: - - apps - - extensions - resources: - - deployments - verbs: - - get - - list - - update - - watch - - apiGroups: - - apps - - extensions - resources: - - deployments/status - verbs: - - update - - apiGroups: - - apps - - extensions - resources: - - deployments/finalizers - verbs: - - update - - apiGroups: - - apps - - extensions - resources: - - replicasets + - nonResourceURLs: + - /api + - /api/* + - /apis + - /apis/* + - /healthz + - /openapi + - /openapi/* + - /swagger-2.0.0.pb-v1 + - /swagger.json + - /swaggerapi + - /swaggerapi/* + - /version + - /version/ verbs: - - create - - delete - get - - list - - patch - - update - - watch - - apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - update - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:disruption-controller - rules: - - apiGroups: - - apps - - extensions - resources: - - deployments - verbs: - - get - - list - - watch - - apiGroups: - - apps - - extensions - resources: - - replicasets - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - replicationcontrollers - verbs: - - get - - list - - watch - - apiGroups: - - policy - resources: - - poddisruptionbudgets - verbs: - - get - - list - - watch - - apiGroups: - - apps - resources: - - statefulsets - verbs: - - get - - list - - watch - - apiGroups: - - policy - resources: - - poddisruptionbudgets/status - verbs: - - update - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:endpoint-controller - rules: - - apiGroups: - - "" - resources: - - pods - - services - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - endpoints - verbs: - - create - - delete - - get - - list - - update - - apiGroups: - - "" - resources: - - endpoints/restricted - verbs: - - create - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:expand-controller - rules: - - apiGroups: - - "" - resources: - - persistentvolumes - verbs: - - get - - list - - patch - - update - - watch - - apiGroups: - - "" - resources: - - persistentvolumeclaims/status - verbs: - - patch - - update - - apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: - - get - - list - - watch - - apiGroups: - - storage.k8s.io - resources: - - storageclasses - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - endpoints - - services - verbs: - - get - - apiGroups: - - "" - resources: - - secrets - verbs: - - get - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:generic-garbage-collector - rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:horizontal-pod-autoscaler - rules: - - apiGroups: - - autoscaling - resources: - - horizontalpodautoscalers - verbs: - - get - - list - - watch - - apiGroups: - - autoscaling - resources: - - horizontalpodautoscalers/status - verbs: - - update - - apiGroups: - - '*' - resources: - - '*/scale' - verbs: - - get - - update - - apiGroups: - - "" - resources: - - pods - verbs: - - list - - apiGroups: - - "" - resourceNames: - - 'http:heapster:' - - 'https:heapster:' - resources: - - services/proxy - verbs: - - get - - apiGroups: - - metrics.k8s.io - resources: - - pods - verbs: - - list - - apiGroups: - - custom.metrics.k8s.io - resources: - - '*' - verbs: - - get - - list - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:job-controller - rules: - - apiGroups: - - batch - resources: - - jobs - verbs: - - get - - list - - update - - watch - - apiGroups: - - batch - resources: - - jobs/status - verbs: - - update - - apiGroups: - - batch - resources: - - jobs/finalizers - verbs: - - update - - apiGroups: - - "" - resources: - - pods - verbs: - - create - - delete - - list - - patch - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:namespace-controller - rules: - - apiGroups: - - "" - resources: - - namespaces - verbs: - - delete - - get - - list - - watch - - apiGroups: - - "" - resources: - - namespaces/finalize - - namespaces/status - verbs: - - update - - apiGroups: - - '*' - resources: - - '*' - verbs: - - delete - - deletecollection - - get - - list -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:node-controller - rules: - - apiGroups: - - "" - resources: - - nodes - verbs: - - delete - - get - - list - - patch - - update - - apiGroups: - - "" - resources: - - nodes/status - verbs: - - patch - - update - - apiGroups: - - "" - resources: - - pods/status - verbs: - - update - - apiGroups: - - "" - resources: - - pods - verbs: - - delete - - list - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:persistent-volume-binder - rules: - - apiGroups: - - "" - resources: - - persistentvolumes - verbs: - - create - - delete - - get - - list - - update - - watch - - apiGroups: - - "" - resources: - - persistentvolumes/status - verbs: - - update - - apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: - - get - - list - - update - - watch - - apiGroups: - - "" - resources: - - persistentvolumeclaims/status - verbs: - - update - - apiGroups: - - "" - resources: - - pods - verbs: - - create - - delete - - get - - list - - watch - - apiGroups: - - storage.k8s.io - resources: - - storageclasses - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - endpoints - - services - verbs: - - create - - delete - - get - - apiGroups: - - "" - resources: - - secrets - verbs: - - get - - apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - apiGroups: - - "" - resources: - - events - verbs: - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:pod-garbage-collector - rules: - - apiGroups: - - "" - resources: - - pods - verbs: - - delete - - list - - watch - - apiGroups: - - "" - resources: - - nodes - verbs: - - list -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:replicaset-controller - rules: - - apiGroups: - - apps - - extensions - resources: - - replicasets - verbs: - - get - - list - - update - - watch - - apiGroups: - - apps - - extensions - resources: - - replicasets/status - verbs: - - update - - apiGroups: - - apps - - extensions - resources: - - replicasets/finalizers - verbs: - - update - - apiGroups: - - "" - resources: - - pods - verbs: - - create - - delete - - list - - patch - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:replication-controller - rules: - - apiGroups: - - "" - resources: - - replicationcontrollers - verbs: - - get - - list - - update - - watch - - apiGroups: - - "" - resources: - - replicationcontrollers/status - verbs: - - update - - apiGroups: - - "" - resources: - - replicationcontrollers/finalizers - verbs: - - update - - apiGroups: - - "" - resources: - - pods - verbs: - - create - - delete - - list - - patch - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:resourcequota-controller - rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - list - - watch - - apiGroups: - - "" - resources: - - resourcequotas/status - verbs: - - update - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:route-controller - rules: - - apiGroups: - - "" - resources: - - nodes - verbs: - - list - - watch - - apiGroups: - - "" - resources: - - nodes/status - verbs: - - patch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:service-account-controller - rules: - - apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - create - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:service-controller - rules: - - apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - services/status - verbs: - - update - - apiGroups: - - "" - resources: - - nodes - verbs: - - list - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:statefulset-controller - rules: - - apiGroups: - - "" - resources: - - pods - verbs: - - list - - watch - - apiGroups: - - apps - resources: - - statefulsets - verbs: - - get - - list - - watch - - apiGroups: - - apps - resources: - - statefulsets/status - verbs: - - update - - apiGroups: - - apps - resources: - - statefulsets/finalizers - verbs: - - update - - apiGroups: - - "" - resources: - - pods - verbs: - - create - - delete - - get - - patch - - update - - apiGroups: - - apps - resources: - - controllerrevisions - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: - - create - - get - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:ttl-controller - rules: - - apiGroups: - - "" - resources: - - nodes - verbs: - - list - - patch - - update - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:certificate-controller - rules: - - apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests - verbs: - - delete - - get - - list - - watch - - apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests/approval - - certificatesigningrequests/status - verbs: - - update - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:pvc-protection-controller - rules: - - apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: - - get - - list - - update - - watch - - apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:pv-protection-controller - rules: - - apiGroups: - - "" - resources: - - persistentvolumes - verbs: - - get - - list - - update - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/test/testdata/bootstrappolicy/bootstrap_policy_file.yaml b/test/testdata/bootstrappolicy/bootstrap_policy_file.yaml index 99d12c594035..67b4ce207ee2 100644 --- a/test/testdata/bootstrappolicy/bootstrap_policy_file.yaml +++ b/test/testdata/bootstrappolicy/bootstrap_policy_file.yaml @@ -1,27 +1,5 @@ apiVersion: v1 items: -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - openshift.io/description: A super-user that can perform any action in the cluster. - When granted to a user within a project, they have full control over quota - and membership and can perform every action on every resource in the project. - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - name: cluster-admin - rules: - - apiGroups: - - '*' - resources: - - '*' - verbs: - - '*' - - nonResourceURLs: - - '*' - verbs: - - '*' - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -1954,7 +1932,7 @@ items: authorization.openshift.io/system-only: "true" rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: null - name: system:discovery + name: system:openshift:discovery rules: - nonResourceURLs: - /version @@ -3496,56 +3474,45 @@ items: creationTimestamp: null labels: kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:attachdetach-controller + name: cluster-admin rules: - apiGroups: - - "" - resources: - - persistentvolumeclaims - - persistentvolumes - verbs: - - list - - watch - - apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - nodes/status - verbs: - - patch - - update - - apiGroups: - - "" + - '*' resources: - - pods + - '*' verbs: - - list - - watch - - apiGroups: - - "" - resources: - - events + - '*' + - nonResourceURLs: + - '*' verbs: - - create - - patch - - update - - apiGroups: - - storage.k8s.io - resources: - - volumeattachments + - '*' +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + authorization.openshift.io/system-only: "true" + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:discovery + rules: + - nonResourceURLs: + - /api + - /api/* + - /apis + - /apis/* + - /healthz + - /openapi + - /openapi/* + - /swagger-2.0.0.pb-v1 + - /swagger.json + - /swaggerapi + - /swaggerapi/* + - /version + - /version/ verbs: - - create - - delete - get - - list - - watch - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -3555,18 +3522,63 @@ items: creationTimestamp: null labels: kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:clusterrole-aggregation-controller + name: system:basic-user rules: - apiGroups: - - '*' + - authorization.k8s.io resources: - - '*' - verbs: - - '*' - - nonResourceURLs: - - '*' + - selfsubjectaccessreviews + - selfsubjectrulesreviews verbs: - - '*' + - create +- aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + openshift.io/description: A user that has edit rights within the project and + can change the project's membership. + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: admin + rules: null +- aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.k8s.io/aggregate-to-edit: "true" + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + openshift.io/description: A user that can create and edit most objects in a + project, but can not update the project's membership. + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: edit + rules: null +- aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + openshift.io/description: A user who can view but not edit any resources within + the project. They can not view secrets or membership. + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: view + rules: null - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -3576,133 +3588,191 @@ items: creationTimestamp: null labels: kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:cronjob-controller + rbac.authorization.k8s.io/aggregate-to-admin: "true" + name: system:aggregate-to-admin rules: - apiGroups: - - batch + - "" resources: - - cronjobs + - pods + - pods/attach + - pods/exec + - pods/portforward + - pods/proxy verbs: + - create + - delete + - deletecollection - get - list + - patch - update - watch - apiGroups: - - batch + - "" resources: - - jobs + - configmaps + - endpoints + - persistentvolumeclaims + - replicationcontrollers + - replicationcontrollers/scale + - secrets + - serviceaccounts + - services + - services/proxy verbs: - create - delete + - deletecollection - get - list - patch - update - watch - apiGroups: - - batch + - "" resources: - - cronjobs/status + - bindings + - events + - limitranges + - namespaces/status + - pods/log + - pods/status + - replicationcontrollers/status + - resourcequotas + - resourcequotas/status verbs: - - update + - get + - list + - watch - apiGroups: - - batch + - "" resources: - - cronjobs/finalizers + - namespaces verbs: - - update + - get + - list + - watch - apiGroups: - "" resources: - - pods + - serviceaccounts verbs: - - delete - - list + - impersonate - apiGroups: - - "" + - apps resources: - - events + - daemonsets + - deployments + - deployments/rollback + - deployments/scale + - replicasets + - replicasets/scale + - statefulsets + - statefulsets/scale verbs: - create + - delete + - deletecollection + - get + - list - patch - update -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:daemon-set-controller - rules: + - watch - apiGroups: - - apps - - extensions + - autoscaling resources: - - daemonsets + - horizontalpodautoscalers verbs: + - create + - delete + - deletecollection - get - list + - patch + - update - watch - apiGroups: - - apps - - extensions + - batch resources: - - daemonsets/status + - cronjobs + - jobs verbs: + - create + - delete + - deletecollection + - get + - list + - patch - update + - watch - apiGroups: - - apps - extensions resources: - - daemonsets/finalizers + - daemonsets + - deployments + - deployments/rollback + - deployments/scale + - ingresses + - networkpolicies + - replicasets + - replicasets/scale + - replicationcontrollers/scale verbs: + - create + - delete + - deletecollection + - get + - list + - patch - update + - watch - apiGroups: - - "" + - policy resources: - - nodes + - poddisruptionbudgets verbs: + - create + - delete + - deletecollection + - get - list + - patch + - update - watch - apiGroups: - - "" + - networking.k8s.io resources: - - pods + - networkpolicies verbs: - create - delete + - deletecollection + - get - list - patch + - update - watch - apiGroups: - - "" + - authorization.k8s.io resources: - - pods/binding + - localsubjectaccessreviews verbs: - create - apiGroups: - - apps + - rbac.authorization.k8s.io resources: - - controllerrevisions + - rolebindings + - roles verbs: - create - delete + - deletecollection - get - list - patch - update - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -3712,40 +3782,42 @@ items: creationTimestamp: null labels: kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:deployment-controller + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: system:aggregate-to-edit rules: - apiGroups: - - apps - - extensions + - "" resources: - - deployments + - pods + - pods/attach + - pods/exec + - pods/portforward + - pods/proxy verbs: + - create + - delete + - deletecollection - get - list + - patch - update - watch - apiGroups: - - apps - - extensions - resources: - - deployments/status - verbs: - - update - - apiGroups: - - apps - - extensions - resources: - - deployments/finalizers - verbs: - - update - - apiGroups: - - apps - - extensions + - "" resources: - - replicasets + - configmaps + - endpoints + - persistentvolumeclaims + - replicationcontrollers + - replicationcontrollers/scale + - secrets + - serviceaccounts + - services + - services/proxy verbs: - create - delete + - deletecollection - get - list - patch @@ -3754,87 +3826,127 @@ items: - apiGroups: - "" resources: - - pods + - bindings + - events + - limitranges + - namespaces/status + - pods/log + - pods/status + - replicationcontrollers/status + - resourcequotas + - resourcequotas/status verbs: - get - list - - update - watch - apiGroups: - "" resources: - - events - verbs: - - create - - patch - - update -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:disruption-controller - rules: - - apiGroups: - - apps - - extensions - resources: - - deployments + - namespaces verbs: - get - list - watch + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - impersonate - apiGroups: - apps - - extensions resources: + - daemonsets + - deployments + - deployments/rollback + - deployments/scale - replicasets + - replicasets/scale + - statefulsets + - statefulsets/scale verbs: + - create + - delete + - deletecollection - get - list + - patch + - update - watch - apiGroups: - - "" + - autoscaling resources: - - replicationcontrollers + - horizontalpodautoscalers verbs: + - create + - delete + - deletecollection - get - list + - patch + - update - watch - apiGroups: - - policy + - batch resources: - - poddisruptionbudgets + - cronjobs + - jobs verbs: + - create + - delete + - deletecollection - get - list + - patch + - update - watch - apiGroups: - - apps + - extensions resources: - - statefulsets + - daemonsets + - deployments + - deployments/rollback + - deployments/scale + - ingresses + - networkpolicies + - replicasets + - replicasets/scale + - replicationcontrollers/scale verbs: + - create + - delete + - deletecollection - get - list + - patch + - update - watch - apiGroups: - policy resources: - - poddisruptionbudgets/status + - poddisruptionbudgets verbs: + - create + - delete + - deletecollection + - get + - list + - patch - update + - watch - apiGroups: - - "" + - networking.k8s.io resources: - - events + - networkpolicies verbs: - create + - delete + - deletecollection + - get + - list - patch - update + - watch - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -3844,12 +3956,19 @@ items: creationTimestamp: null labels: kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:endpoint-controller + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: system:aggregate-to-view rules: - apiGroups: - "" resources: + - configmaps + - endpoints + - persistentvolumeclaims - pods + - replicationcontrollers + - replicationcontrollers/scale + - serviceaccounts - services verbs: - get @@ -3858,92 +3977,89 @@ items: - apiGroups: - "" resources: - - endpoints + - bindings + - events + - limitranges + - namespaces/status + - pods/log + - pods/status + - replicationcontrollers/status + - resourcequotas + - resourcequotas/status verbs: - - create - - delete - get - list - - update + - watch - apiGroups: - "" resources: - - endpoints/restricted + - namespaces verbs: - - create + - get + - list + - watch - apiGroups: - - "" + - apps resources: - - events + - daemonsets + - deployments + - deployments/scale + - replicasets + - replicasets/scale + - statefulsets + - statefulsets/scale verbs: - - create - - patch - - update -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:expand-controller - rules: + - get + - list + - watch - apiGroups: - - "" + - autoscaling resources: - - persistentvolumes + - horizontalpodautoscalers verbs: - get - list - - patch - - update - watch - apiGroups: - - "" - resources: - - persistentvolumeclaims/status - verbs: - - patch - - update - - apiGroups: - - "" + - batch resources: - - persistentvolumeclaims + - cronjobs + - jobs verbs: - get - list - watch - apiGroups: - - storage.k8s.io + - extensions resources: - - storageclasses + - daemonsets + - deployments + - deployments/scale + - ingresses + - networkpolicies + - replicasets + - replicasets/scale + - replicationcontrollers/scale verbs: - get - list - watch - apiGroups: - - "" + - policy resources: - - endpoints - - services + - poddisruptionbudgets verbs: - get + - list + - watch - apiGroups: - - "" + - networking.k8s.io resources: - - secrets + - networkpolicies verbs: - get - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update + - list + - watch - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -3953,27 +4069,27 @@ items: creationTimestamp: null labels: kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:generic-garbage-collector + name: system:heapster rules: - apiGroups: - - '*' + - "" resources: - - '*' + - events + - namespaces + - nodes + - pods verbs: - - delete - get - list - - patch - - update - watch - apiGroups: - - "" + - extensions resources: - - events + - deployments verbs: - - create - - patch - - update + - get + - list + - watch - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -3983,57 +4099,53 @@ items: creationTimestamp: null labels: kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:horizontal-pod-autoscaler + name: system:node rules: - apiGroups: - - autoscaling - resources: - - horizontalpodautoscalers - verbs: - - get - - list - - watch - - apiGroups: - - autoscaling + - authentication.k8s.io resources: - - horizontalpodautoscalers/status + - tokenreviews verbs: - - update + - create - apiGroups: - - '*' + - authorization.k8s.io resources: - - '*/scale' + - localsubjectaccessreviews + - subjectaccessreviews verbs: - - get - - update + - create - apiGroups: - "" resources: - - pods + - services verbs: + - get - list + - watch - apiGroups: - "" - resourceNames: - - 'http:heapster:' - - 'https:heapster:' resources: - - services/proxy + - nodes verbs: + - create - get + - list + - watch - apiGroups: - - metrics.k8s.io + - "" resources: - - pods + - nodes/status verbs: - - list + - patch + - update - apiGroups: - - custom.metrics.k8s.io + - "" resources: - - '*' + - nodes verbs: - - get - - list + - delete + - patch + - update - apiGroups: - "" resources: @@ -4042,92 +4154,79 @@ items: - create - patch - update -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:job-controller - rules: - apiGroups: - - batch + - "" resources: - - jobs + - pods verbs: - get - list - - update - watch - apiGroups: - - batch + - "" resources: - - jobs/status + - pods verbs: - - update + - create + - delete - apiGroups: - - batch + - "" resources: - - jobs/finalizers + - pods/status verbs: + - patch - update - apiGroups: - "" resources: - - pods + - pods/eviction verbs: - create - - delete + - apiGroups: + - "" + resources: + - configmaps + - secrets + verbs: + - get - list - - patch - watch - apiGroups: - "" resources: - - events + - persistentvolumeclaims + - persistentvolumes verbs: - - create - - patch - - update -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:namespace-controller - rules: + - get - apiGroups: - "" resources: - - namespaces + - endpoints verbs: - - delete + - get + - apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + verbs: + - create - get - list - watch - apiGroups: - "" resources: - - namespaces/finalize - - namespaces/status + - persistentvolumeclaims/status verbs: + - get + - patch - update - apiGroups: - - '*' + - storage.k8s.io resources: - - '*' + - volumeattachments verbs: - - delete - - deletecollection - get - - list - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -4137,38 +4236,20 @@ items: creationTimestamp: null labels: kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:node-controller + name: system:node-problem-detector rules: - apiGroups: - "" resources: - nodes verbs: - - delete - get - - list - - patch - - update - apiGroups: - "" resources: - nodes/status verbs: - patch - - update - - apiGroups: - - "" - resources: - - pods/status - verbs: - - update - - apiGroups: - - "" - resources: - - pods - verbs: - - delete - - list - apiGroups: - "" resources: @@ -4186,94 +4267,108 @@ items: creationTimestamp: null labels: kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:persistent-volume-binder + name: system:node-proxier rules: - apiGroups: - "" resources: - - persistentvolumes + - endpoints + - services verbs: - - create - - delete - - get - list - - update - watch - apiGroups: - "" resources: - - persistentvolumes/status - verbs: - - update - - apiGroups: - - "" - resources: - - persistentvolumeclaims + - nodes verbs: - get - - list - - update - - watch - apiGroups: - "" resources: - - persistentvolumeclaims/status + - events verbs: + - create + - patch - update +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + authorization.openshift.io/system-only: "true" + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:kubelet-api-admin + rules: - apiGroups: - "" resources: - - pods + - nodes verbs: - - create - - delete - get - list - watch - apiGroups: - - storage.k8s.io + - "" resources: - - storageclasses + - nodes verbs: - - get - - list - - watch + - proxy - apiGroups: - "" resources: - - endpoints - - services - verbs: - - create - - delete - - get - - apiGroups: - - "" - resources: - - secrets + - nodes/log + - nodes/metrics + - nodes/proxy + - nodes/spec + - nodes/stats verbs: - - get + - '*' +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + authorization.openshift.io/system-only: "true" + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:node-bootstrapper + rules: - apiGroups: - - "" + - certificates.k8s.io resources: - - nodes + - certificatesigningrequests verbs: + - create - get - list + - watch +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + authorization.openshift.io/system-only: "true" + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:auth-delegator + rules: - apiGroups: - - "" + - authentication.k8s.io resources: - - events + - tokenreviews verbs: - - watch + - create - apiGroups: - - "" + - authorization.k8s.io resources: - - events + - subjectaccessreviews verbs: - create - - patch - - update - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -4283,22 +4378,17 @@ items: creationTimestamp: null labels: kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:pod-garbage-collector + name: system:kube-aggregator rules: - apiGroups: - "" resources: - - pods + - endpoints + - services verbs: - - delete + - get - list - watch - - apiGroups: - - "" - resources: - - nodes - verbs: - - list - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -4308,50 +4398,60 @@ items: creationTimestamp: null labels: kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:replicaset-controller + name: system:kube-controller-manager rules: - apiGroups: - - apps - - extensions + - "" resources: - - replicasets + - events verbs: - - get - - list + - create + - patch - update - - watch - apiGroups: - - apps - - extensions + - "" resources: - - replicasets/status + - endpoints + - secrets + - serviceaccounts verbs: - - update + - create - apiGroups: - - apps - - extensions + - "" resources: - - replicasets/finalizers + - secrets verbs: - - update + - delete - apiGroups: - "" resources: - - pods + - endpoints + - namespaces + - secrets + - serviceaccounts verbs: - - create - - delete - - list - - patch - - watch + - get - apiGroups: - "" resources: - - events + - endpoints + - secrets + - serviceaccounts verbs: - - create - - patch - update + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - '*' + resources: + - '*' + verbs: + - list + - watch - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -4361,111 +4461,107 @@ items: creationTimestamp: null labels: kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:replication-controller + name: system:kube-scheduler rules: - apiGroups: - "" resources: - - replicationcontrollers + - events verbs: - - get - - list + - create + - patch - update - - watch - apiGroups: - "" resources: - - replicationcontrollers/status + - endpoints verbs: - - update + - create - apiGroups: - "" + resourceNames: + - kube-scheduler resources: - - replicationcontrollers/finalizers + - endpoints verbs: + - delete + - get + - patch - update - apiGroups: - "" resources: - - pods + - nodes verbs: - - create - - delete + - get - list - - patch - watch - apiGroups: - "" resources: - - events - verbs: - - create - - patch - - update -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:resourcequota-controller - rules: - - apiGroups: - - '*' - resources: - - '*' + - pods verbs: + - delete + - get - list - watch - apiGroups: - "" resources: - - resourcequotas/status + - bindings + - pods/binding verbs: - - update + - create - apiGroups: - "" resources: - - events + - pods/status verbs: - - create - patch - update -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:route-controller - rules: - apiGroups: - "" resources: - - nodes + - replicationcontrollers + - services verbs: + - get - list - watch - apiGroups: - - "" + - apps + - extensions resources: - - nodes/status + - replicasets verbs: - - patch + - get + - list + - watch + - apiGroups: + - apps + resources: + - statefulsets + verbs: + - get + - list + - watch + - apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - get + - list + - watch - apiGroups: - "" resources: - - events + - persistentvolumeclaims + - persistentvolumes verbs: - - create - - patch - - update + - get + - list + - watch - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -4475,22 +4571,16 @@ items: creationTimestamp: null labels: kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:service-account-controller + name: system:kube-dns rules: - apiGroups: - "" resources: - - serviceaccounts - verbs: - - create - - apiGroups: - - "" - resources: - - events + - endpoints + - services verbs: - - create - - patch - - update + - list + - watch - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -4500,27 +4590,33 @@ items: creationTimestamp: null labels: kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:service-controller + name: system:persistent-volume-provisioner rules: - apiGroups: - "" resources: - - services + - persistentvolumes verbs: + - create + - delete - get - list - watch - apiGroups: - "" resources: - - services/status + - persistentvolumeclaims verbs: + - get + - list - update + - watch - apiGroups: - - "" + - storage.k8s.io resources: - - nodes + - storageclasses verbs: + - get - list - watch - apiGroups: @@ -4528,76 +4624,7 @@ items: resources: - events verbs: - - create - - patch - - update -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:statefulset-controller - rules: - - apiGroups: - - "" - resources: - - pods - verbs: - - list - - watch - - apiGroups: - - apps - resources: - - statefulsets - verbs: - - get - - list - - watch - - apiGroups: - - apps - resources: - - statefulsets/status - verbs: - - update - - apiGroups: - - apps - resources: - - statefulsets/finalizers - verbs: - - update - - apiGroups: - - "" - resources: - - pods - verbs: - - create - - delete - - get - - patch - - update - - apiGroups: - - apps - resources: - - controllerrevisions - verbs: - - create - - delete - - get - - list - - patch - - update - watch - - apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: - - create - - get - apiGroups: - "" resources: @@ -4615,77 +4642,18 @@ items: creationTimestamp: null labels: kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:ttl-controller + name: system:csi-external-provisioner rules: - apiGroups: - "" resources: - - nodes - verbs: - - list - - patch - - update - - watch - - apiGroups: - - "" - resources: - - events + - persistentvolumes verbs: - create - - patch - - update -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:certificate-controller - rules: - - apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests - verbs: - delete - get - list - watch - - apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests/approval - - certificatesigningrequests/status - verbs: - - update - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:pvc-protection-controller - rules: - apiGroups: - "" resources: @@ -4693,43 +4661,15 @@ items: verbs: - get - list - - update - - watch - - apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - patch - update -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:pv-protection-controller - rules: + - watch - apiGroups: - - "" + - storage.k8s.io resources: - - persistentvolumes + - storageclasses verbs: - - get - list - - update - watch - apiGroups: - "" @@ -4737,2063 +4677,466 @@ items: - events verbs: - create - - patch - - update -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:basic-user - rules: - - apiGroups: - - authorization.k8s.io - resources: - - selfsubjectaccessreviews - - selfsubjectrulesreviews - verbs: - - create -- aggregationRule: - clusterRoleSelectors: - - matchLabels: - rbac.authorization.k8s.io/aggregate-to-admin: "true" - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - openshift.io/description: A user that has edit rights within the project and - can change the project's membership. - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: admin - rules: null -- aggregationRule: - clusterRoleSelectors: - - matchLabels: - rbac.authorization.k8s.io/aggregate-to-edit: "true" - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - openshift.io/description: A user that can create and edit most objects in a - project, but can not update the project's membership. - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: edit - rules: null -- aggregationRule: - clusterRoleSelectors: - - matchLabels: - rbac.authorization.k8s.io/aggregate-to-view: "true" - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - openshift.io/description: A user who can view but not edit any resources within - the project. They can not view secrets or membership. - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: view - rules: null -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - rbac.authorization.k8s.io/aggregate-to-admin: "true" - name: system:aggregate-to-admin - rules: - - apiGroups: - - "" - resources: - - pods - - pods/attach - - pods/exec - - pods/portforward - - pods/proxy - verbs: - - create - - delete - - deletecollection - get - list - patch - - update - - watch - - apiGroups: - - "" - resources: - - configmaps - - endpoints - - persistentvolumeclaims - - replicationcontrollers - - replicationcontrollers/scale - - secrets - - serviceaccounts - - services - - services/proxy - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch - - apiGroups: - - "" - resources: - - bindings - - events - - limitranges - - namespaces/status - - pods/log - - pods/status - - replicationcontrollers/status - - resourcequotas - - resourcequotas/status - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - impersonate - - apiGroups: - - apps - resources: - - daemonsets - - deployments - - deployments/rollback - - deployments/scale - - replicasets - - replicasets/scale - - statefulsets - - statefulsets/scale - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch - - apiGroups: - - autoscaling - resources: - - horizontalpodautoscalers - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch - - apiGroups: - - batch - resources: - - cronjobs - - jobs - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch - - apiGroups: - - extensions - resources: - - daemonsets - - deployments - - deployments/rollback - - deployments/scale - - ingresses - - networkpolicies - - replicasets - - replicasets/scale - - replicationcontrollers/scale - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch - - apiGroups: - - policy - resources: - - poddisruptionbudgets - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch - - apiGroups: - - networking.k8s.io - resources: - - networkpolicies - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch - - apiGroups: - - authorization.k8s.io - resources: - - localsubjectaccessreviews - verbs: - - create - - apiGroups: - - rbac.authorization.k8s.io - resources: - - rolebindings - - roles - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - rbac.authorization.k8s.io/aggregate-to-edit: "true" - name: system:aggregate-to-edit - rules: - - apiGroups: - - "" - resources: - - pods - - pods/attach - - pods/exec - - pods/portforward - - pods/proxy - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch - - apiGroups: - - "" - resources: - - configmaps - - endpoints - - persistentvolumeclaims - - replicationcontrollers - - replicationcontrollers/scale - - secrets - - serviceaccounts - - services - - services/proxy - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch - - apiGroups: - - "" - resources: - - bindings - - events - - limitranges - - namespaces/status - - pods/log - - pods/status - - replicationcontrollers/status - - resourcequotas - - resourcequotas/status - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - impersonate - - apiGroups: - - apps - resources: - - daemonsets - - deployments - - deployments/rollback - - deployments/scale - - replicasets - - replicasets/scale - - statefulsets - - statefulsets/scale - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch - - apiGroups: - - autoscaling - resources: - - horizontalpodautoscalers - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch - - apiGroups: - - batch - resources: - - cronjobs - - jobs - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch - - apiGroups: - - extensions - resources: - - daemonsets - - deployments - - deployments/rollback - - deployments/scale - - ingresses - - networkpolicies - - replicasets - - replicasets/scale - - replicationcontrollers/scale - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch - - apiGroups: - - policy - resources: - - poddisruptionbudgets - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch - - apiGroups: - - networking.k8s.io - resources: - - networkpolicies - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - rbac.authorization.k8s.io/aggregate-to-view: "true" - name: system:aggregate-to-view - rules: - - apiGroups: - - "" - resources: - - configmaps - - endpoints - - persistentvolumeclaims - - pods - - replicationcontrollers - - replicationcontrollers/scale - - serviceaccounts - - services - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - bindings - - events - - limitranges - - namespaces/status - - pods/log - - pods/status - - replicationcontrollers/status - - resourcequotas - - resourcequotas/status - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - watch - - apiGroups: - - apps - resources: - - daemonsets - - deployments - - deployments/scale - - replicasets - - replicasets/scale - - statefulsets - - statefulsets/scale - verbs: - - get - - list - - watch - - apiGroups: - - autoscaling - resources: - - horizontalpodautoscalers - verbs: - - get - - list - - watch - - apiGroups: - - batch - resources: - - cronjobs - - jobs - verbs: - - get - - list - - watch - - apiGroups: - - extensions - resources: - - daemonsets - - deployments - - deployments/scale - - ingresses - - networkpolicies - - replicasets - - replicasets/scale - - replicationcontrollers/scale - verbs: - - get - - list - - watch - - apiGroups: - - policy - resources: - - poddisruptionbudgets - verbs: - - get - - list - - watch - - apiGroups: - - networking.k8s.io - resources: - - networkpolicies - verbs: - - get - - list - - watch -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:heapster - rules: - - apiGroups: - - "" - resources: - - events - - namespaces - - nodes - - pods - verbs: - - get - - list - - watch - - apiGroups: - - extensions - resources: - - deployments - verbs: - - get - - list - - watch -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:node - rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - localsubjectaccessreviews - - subjectaccessreviews - verbs: - - create - - apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - nodes - verbs: - - create - - get - - list - - watch - - apiGroups: - - "" - resources: - - nodes/status - verbs: - - patch - - update - - apiGroups: - - "" - resources: - - nodes - verbs: - - delete - - patch - - update - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update - - apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - pods - verbs: - - create - - delete - - apiGroups: - - "" - resources: - - pods/status - verbs: - - patch - - update - - apiGroups: - - "" - resources: - - pods/eviction - verbs: - - create - - apiGroups: - - "" - resources: - - configmaps - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - persistentvolumeclaims - - persistentvolumes - verbs: - - get - - apiGroups: - - "" - resources: - - endpoints - verbs: - - get - - apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests - verbs: - - create - - get - - list - - watch - - apiGroups: - - "" - resources: - - persistentvolumeclaims/status - verbs: - - get - - patch - - update - - apiGroups: - - storage.k8s.io - resources: - - volumeattachments - verbs: - - get -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:node-problem-detector - rules: - - apiGroups: - - "" - resources: - - nodes - verbs: - - get - - apiGroups: - - "" - resources: - - nodes/status - verbs: - - patch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:node-proxier - rules: - - apiGroups: - - "" - resources: - - endpoints - - services - verbs: - - list - - watch - - apiGroups: - - "" - resources: - - nodes - verbs: - - get - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:kubelet-api-admin - rules: - - apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - nodes - verbs: - - proxy - - apiGroups: - - "" - resources: - - nodes/log - - nodes/metrics - - nodes/proxy - - nodes/spec - - nodes/stats - verbs: - - '*' -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:node-bootstrapper - rules: - - apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests - verbs: - - create - - get - - list - - watch -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:auth-delegator - rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:kube-aggregator - rules: - - apiGroups: - - "" - resources: - - endpoints - - services - verbs: - - get - - list - - watch -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:kube-controller-manager - rules: - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update - - apiGroups: - - "" - resources: - - endpoints - - secrets - - serviceaccounts - verbs: - - create - - apiGroups: - - "" - resources: - - secrets - verbs: - - delete - - apiGroups: - - "" - resources: - - endpoints - - namespaces - - secrets - - serviceaccounts - verbs: - - get - - apiGroups: - - "" - resources: - - endpoints - - secrets - - serviceaccounts - verbs: - - update - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - '*' - resources: - - '*' - verbs: - - list - - watch -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:kube-scheduler - rules: - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update - - apiGroups: - - "" - resources: - - endpoints - verbs: - - create - - apiGroups: - - "" - resourceNames: - - kube-scheduler - resources: - - endpoints - verbs: - - delete - - get - - patch - - update - - apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - pods - verbs: - - delete - - get - - list - - watch - - apiGroups: - - "" - resources: - - bindings - - pods/binding - verbs: - - create - - apiGroups: - - "" - resources: - - pods/status - verbs: - - patch - - update - - apiGroups: - - "" - resources: - - replicationcontrollers - - services - verbs: - - get - - list - - watch - - apiGroups: - - apps - - extensions - resources: - - replicasets - verbs: - - get - - list - - watch - - apiGroups: - - apps - resources: - - statefulsets - verbs: - - get - - list - - watch - - apiGroups: - - policy - resources: - - poddisruptionbudgets - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - persistentvolumeclaims - - persistentvolumes - verbs: - - get - - list - - watch -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:kube-dns - rules: - - apiGroups: - - "" - resources: - - endpoints - - services - verbs: - - list - - watch -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:persistent-volume-provisioner - rules: - - apiGroups: - - "" - resources: - - persistentvolumes - verbs: - - create - - delete - - get - - list - - watch - - apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: - - get - - list - - update - - watch - - apiGroups: - - storage.k8s.io - resources: - - storageclasses - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:csi-external-provisioner - rules: - - apiGroups: - - "" - resources: - - persistentvolumes - verbs: - - create - - delete - - get - - list - - watch - - apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: - - get - - list - - patch - - update - - watch - - apiGroups: - - storage.k8s.io - resources: - - storageclasses - verbs: - - list - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - get - - list - - patch - - update - - watch -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:csi-external-attacher - rules: - - apiGroups: - - "" - resources: - - persistentvolumes - verbs: - - get - - list - - patch - - update - - watch - - apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - watch - - apiGroups: - - storage.k8s.io - resources: - - volumeattachments - verbs: - - get - - list - - patch - - update - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - get - - list - - patch - - update - - watch -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:aws-cloud-provider - rules: - - apiGroups: - - "" - resources: - - nodes - verbs: - - get - - patch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:certificates.k8s.io:certificatesigningrequests:nodeclient - rules: - - apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests/nodeclient - verbs: - - create -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:certificates.k8s.io:certificatesigningrequests:selfnodeclient - rules: - - apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests/selfnodeclient - verbs: - - create -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - annotations: - authorization.openshift.io/system-only: "true" - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:volume-scheduler - rules: - - apiGroups: - - "" - resources: - - persistentvolumes - verbs: - - get - - list - - patch - - update - - watch - - apiGroups: - - storage.k8s.io - resources: - - storageclasses - verbs: - - get - - list - - watch -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - name: system:masters - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:master - subjects: - - apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:masters -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - name: system:node-admins - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:node-admin - subjects: - - apiGroup: rbac.authorization.k8s.io - kind: User - name: system:master - - apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:node-admins -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - name: cluster-admins - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin - subjects: - - apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:cluster-admins - - apiGroup: rbac.authorization.k8s.io - kind: User - name: system:admin -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - name: cluster-readers - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-reader - subjects: - - apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:cluster-readers -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - name: basic-users - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: basic-user - subjects: - - apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:authenticated -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - name: self-access-reviewers - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: self-access-reviewer - subjects: - - apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:authenticated - - apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:unauthenticated -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - name: self-provisioners - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: self-provisioner - subjects: - - apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:authenticated:oauth -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - name: system:oauth-token-deleters - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:oauth-token-deleter - subjects: - - apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:authenticated - - apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:unauthenticated -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - name: cluster-status-binding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-status - subjects: - - apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:authenticated - - apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:unauthenticated -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - name: system:node-proxiers - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:node-proxier - subjects: - - apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:nodes -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - name: system:sdn-readers - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:sdn-reader - subjects: - - apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:nodes -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - name: system:webhooks - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:webhook - subjects: - - apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:authenticated - - apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:unauthenticated -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - name: system:discovery-binding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:discovery - subjects: - - apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:authenticated - - apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:unauthenticated -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - name: system:build-strategy-docker-binding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:build-strategy-docker - subjects: - - apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:authenticated -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - name: system:build-strategy-source-binding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:build-strategy-source - subjects: - - apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:authenticated -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - name: system:build-strategy-jenkinspipeline-binding - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:build-strategy-jenkinspipeline - subjects: - - apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:authenticated -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - name: system:node-bootstrapper - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:node-bootstrapper - subjects: - - kind: ServiceAccount - name: node-bootstrapper - namespace: openshift-infra -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - name: system:scope-impersonation - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:scope-impersonation - subjects: - - apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:authenticated - - apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:unauthenticated -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - name: system:nodes - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:node -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:attachdetach-controller - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:controller:attachdetach-controller - subjects: - - kind: ServiceAccount - name: attachdetach-controller - namespace: kube-system + - update + - watch - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding + kind: ClusterRole metadata: annotations: + authorization.openshift.io/system-only: "true" rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: null labels: kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:clusterrole-aggregation-controller - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:controller:clusterrole-aggregation-controller - subjects: - - kind: ServiceAccount - name: clusterrole-aggregation-controller - namespace: kube-system + name: system:csi-external-attacher + rules: + - apiGroups: + - "" + resources: + - persistentvolumes + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch + - apiGroups: + - storage.k8s.io + resources: + - volumeattachments + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - create + - get + - list + - patch + - update + - watch - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding + kind: ClusterRole metadata: annotations: + authorization.openshift.io/system-only: "true" rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: null labels: kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:cronjob-controller - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:controller:cronjob-controller - subjects: - - kind: ServiceAccount - name: cronjob-controller - namespace: kube-system + name: system:aws-cloud-provider + rules: + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - patch + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - update - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding + kind: ClusterRole metadata: annotations: + authorization.openshift.io/system-only: "true" rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: null labels: kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:daemon-set-controller - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:controller:daemon-set-controller - subjects: - - kind: ServiceAccount - name: daemon-set-controller - namespace: kube-system + name: system:certificates.k8s.io:certificatesigningrequests:nodeclient + rules: + - apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests/nodeclient + verbs: + - create - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding + kind: ClusterRole metadata: annotations: + authorization.openshift.io/system-only: "true" rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: null labels: kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:deployment-controller - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:controller:deployment-controller - subjects: - - kind: ServiceAccount - name: deployment-controller - namespace: kube-system + name: system:certificates.k8s.io:certificatesigningrequests:selfnodeclient + rules: + - apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests/selfnodeclient + verbs: + - create - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding + kind: ClusterRole metadata: annotations: + authorization.openshift.io/system-only: "true" rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: null labels: kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:disruption-controller - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:controller:disruption-controller - subjects: - - kind: ServiceAccount - name: disruption-controller - namespace: kube-system + name: system:volume-scheduler + rules: + - apiGroups: + - "" + resources: + - persistentvolumes + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:endpoint-controller + name: system:masters roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: system:controller:endpoint-controller + name: system:master subjects: - - kind: ServiceAccount - name: endpoint-controller - namespace: kube-system + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:masters - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:expand-controller + name: system:node-admins roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: system:controller:expand-controller + name: system:node-admin subjects: - - kind: ServiceAccount - name: expand-controller - namespace: kube-system + - apiGroup: rbac.authorization.k8s.io + kind: User + name: system:master + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:node-admins - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:generic-garbage-collector + name: cluster-admins roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: system:controller:generic-garbage-collector + name: cluster-admin subjects: - - kind: ServiceAccount - name: generic-garbage-collector - namespace: kube-system + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:cluster-admins + - apiGroup: rbac.authorization.k8s.io + kind: User + name: system:admin - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:horizontal-pod-autoscaler + name: cluster-readers roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: system:controller:horizontal-pod-autoscaler + name: cluster-reader subjects: - - kind: ServiceAccount - name: horizontal-pod-autoscaler - namespace: kube-system + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:cluster-readers - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:job-controller + name: basic-users roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: system:controller:job-controller + name: basic-user subjects: - - kind: ServiceAccount - name: job-controller - namespace: kube-system + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:authenticated - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:namespace-controller + name: self-access-reviewers roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: system:controller:namespace-controller + name: self-access-reviewer subjects: - - kind: ServiceAccount - name: namespace-controller - namespace: kube-system + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:authenticated + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:unauthenticated - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:node-controller + name: self-provisioners roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: system:controller:node-controller + name: self-provisioner subjects: - - kind: ServiceAccount - name: node-controller - namespace: kube-system + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:authenticated:oauth - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:persistent-volume-binder + name: system:oauth-token-deleters roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: system:controller:persistent-volume-binder + name: system:oauth-token-deleter subjects: - - kind: ServiceAccount - name: persistent-volume-binder - namespace: kube-system + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:authenticated + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:unauthenticated - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:pod-garbage-collector + name: cluster-status-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: system:controller:pod-garbage-collector + name: cluster-status subjects: - - kind: ServiceAccount - name: pod-garbage-collector - namespace: kube-system + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:authenticated + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:unauthenticated - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:replicaset-controller + name: system:node-proxiers roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: system:controller:replicaset-controller + name: system:node-proxier subjects: - - kind: ServiceAccount - name: replicaset-controller - namespace: kube-system + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:nodes - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:replication-controller + name: system:sdn-readers roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: system:controller:replication-controller - subjects: - - kind: ServiceAccount - name: replication-controller - namespace: kube-system + name: system:sdn-reader + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:nodes - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:resourcequota-controller + name: system:webhooks roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: system:controller:resourcequota-controller + name: system:webhook subjects: - - kind: ServiceAccount - name: resourcequota-controller - namespace: kube-system + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:authenticated + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:unauthenticated - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:route-controller + name: system:openshift:discovery roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: system:controller:route-controller + name: system:openshift:discovery subjects: - - kind: ServiceAccount - name: route-controller - namespace: kube-system + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:authenticated + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:unauthenticated - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:service-account-controller + name: system:build-strategy-docker-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: system:controller:service-account-controller + name: system:build-strategy-docker subjects: - - kind: ServiceAccount - name: service-account-controller - namespace: kube-system + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:authenticated - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:service-controller + name: system:build-strategy-source-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: system:controller:service-controller + name: system:build-strategy-source subjects: - - kind: ServiceAccount - name: service-controller - namespace: kube-system + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:authenticated - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:statefulset-controller + name: system:build-strategy-jenkinspipeline-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: system:controller:statefulset-controller + name: system:build-strategy-jenkinspipeline subjects: - - kind: ServiceAccount - name: statefulset-controller - namespace: kube-system + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:authenticated - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:ttl-controller + name: system:node-bootstrapper roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: system:controller:ttl-controller + name: system:node-bootstrapper subjects: - kind: ServiceAccount - name: ttl-controller - namespace: kube-system + name: node-bootstrapper + namespace: openshift-infra - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:certificate-controller + name: system:scope-impersonation roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: system:controller:certificate-controller + name: system:scope-impersonation subjects: - - kind: ServiceAccount - name: certificate-controller - namespace: kube-system + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:authenticated + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:unauthenticated - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:pvc-protection-controller + name: system:nodes roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: system:controller:pvc-protection-controller - subjects: - - kind: ServiceAccount - name: pvc-protection-controller - namespace: kube-system + name: system:node - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:controller:pv-protection-controller + name: system:discovery-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: system:controller:pv-protection-controller - subjects: - - kind: ServiceAccount - name: pv-protection-controller - namespace: kube-system + name: system:discovery - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -7229,178 +5572,6 @@ items: - kind: ServiceAccount name: namespace-security-allocation-controller namespace: openshift-infra -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: cluster-admin - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin - subjects: - - apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:masters -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:discovery - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:discovery - subjects: - - apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:authenticated - - apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:unauthenticated -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:basic-user - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:basic-user - subjects: - - apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:authenticated - - apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:unauthenticated -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:node-proxier - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:node-proxier - subjects: - - apiGroup: rbac.authorization.k8s.io - kind: User - name: system:kube-proxy -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:kube-controller-manager - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:kube-controller-manager - subjects: - - apiGroup: rbac.authorization.k8s.io - kind: User - name: system:kube-controller-manager -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:kube-dns - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:kube-dns - subjects: - - kind: ServiceAccount - name: kube-dns - namespace: kube-system -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:kube-scheduler - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:kube-scheduler - subjects: - - apiGroup: rbac.authorization.k8s.io - kind: User - name: system:kube-scheduler -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:aws-cloud-provider - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:aws-cloud-provider - subjects: - - kind: ServiceAccount - name: aws-cloud-provider - namespace: kube-system -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:node - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:node -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - creationTimestamp: null - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:volume-scheduler - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:volume-scheduler - subjects: - - apiGroup: rbac.authorization.k8s.io - kind: User - name: system:kube-scheduler - apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: From fa149e87718632ce9cb2ab90e0bdad71e8476c28 Mon Sep 17 00:00:00 2001 From: David Eads Date: Tue, 14 Aug 2018 11:42:06 -0400 Subject: [PATCH 2/2] use the upstream RBAC roles for reconciliation --- pkg/cmd/server/bootstrappolicy/constants.go | 6 +- pkg/cmd/server/bootstrappolicy/dead.go | 3 + pkg/cmd/server/bootstrappolicy/policy.go | 65 ++----------------- .../bootstrappolicy/web_console_role_test.go | 1 + .../server/kubernetes/master/master_config.go | 4 -- test/integration/master_routes_test.go | 1 + 6 files changed, 12 insertions(+), 68 deletions(-) diff --git a/pkg/cmd/server/bootstrappolicy/constants.go b/pkg/cmd/server/bootstrappolicy/constants.go index bdbb3ff7d870..d9089d914df7 100644 --- a/pkg/cmd/server/bootstrappolicy/constants.go +++ b/pkg/cmd/server/bootstrappolicy/constants.go @@ -33,8 +33,6 @@ const ( // groups const ( - UnauthenticatedUsername = "system:anonymous" - AuthenticatedGroup = "system:authenticated" AuthenticatedOAuthGroup = "system:authenticated:oauth" UnauthenticatedGroup = "system:unauthenticated" @@ -43,7 +41,6 @@ const ( MastersGroup = "system:masters" NodesGroup = "system:nodes" NodeAdminsGroup = "system:node-admins" - NodeReadersGroup = "system:node-readers" ) // Service Account Names that are not controller related @@ -96,7 +93,7 @@ const ( SDNManagerRoleName = "system:sdn-manager" OAuthTokenDeleterRoleName = "system:oauth-token-deleter" WebHooksRoleName = "system:webhook" - DiscoveryRoleName = "system:discovery" + DiscoveryRoleName = "system:openshift:discovery" // NodeAdmin has full access to the API provided by the kubelet NodeAdminRoleName = "system:node-admin" @@ -127,7 +124,6 @@ const ( NodeAdminRoleBindingName = NodeAdminRoleName + "s" SDNReaderRoleBindingName = SDNReaderRoleName + "s" WebHooksRoleBindingName = WebHooksRoleName + "s" - DiscoveryRoleBindingName = DiscoveryRoleName + "-binding" OpenshiftSharedResourceViewRoleBindingName = OpenshiftSharedResourceViewRoleName + "s" diff --git a/pkg/cmd/server/bootstrappolicy/dead.go b/pkg/cmd/server/bootstrappolicy/dead.go index 8737fd671d2f..4dee5e2fcbb8 100644 --- a/pkg/cmd/server/bootstrappolicy/dead.go +++ b/pkg/cmd/server/bootstrappolicy/dead.go @@ -76,4 +76,7 @@ func init() { // this was replaced by the node authorizer addDeadClusterRoleBinding("system:nodes", "system:node") + + // this was replaced by an openshift specific role and binding + addDeadClusterRoleBinding("system:discovery-binding", "system:discovery") } diff --git a/pkg/cmd/server/bootstrappolicy/policy.go b/pkg/cmd/server/bootstrappolicy/policy.go index 4c3b5ca0efed..9b270de83d2d 100644 --- a/pkg/cmd/server/bootstrappolicy/policy.go +++ b/pkg/cmd/server/bootstrappolicy/policy.go @@ -102,18 +102,6 @@ func GetOpenshiftBootstrapClusterRoles() []rbacv1.ClusterRole { // four resource can be a single line // up to ten-ish resources per line otherwise clusterRoles := []rbacv1.ClusterRole{ - { - ObjectMeta: metav1.ObjectMeta{ - Name: ClusterAdminRoleName, - Annotations: map[string]string{ - oapi.OpenShiftDescription: "A super-user that can perform any action in the cluster. When granted to a user within a project, they have full control over quota and membership and can perform every action on every resource in the project.", - }, - }, - Rules: []rbacv1.PolicyRule{ - rbacv1helpers.NewRule(rbacv1.VerbAll).Groups(rbacv1.APIGroupAll).Resources(rbacv1.ResourceAll).RuleOrDie(), - rbacv1helpers.NewRule(rbacv1.VerbAll).URLs(rbacv1.NonResourceAll).RuleOrDie(), - }, - }, { ObjectMeta: metav1.ObjectMeta{ Name: SudoerRoleName, @@ -741,7 +729,6 @@ func GetBootstrapClusterRoles() []rbacv1.ClusterRole { // so add them to this list. openshiftClusterRoles = append(openshiftClusterRoles, GetDeadClusterRoles()...) kubeClusterRoles := bootstrappolicy.ClusterRoles() - kubeSAClusterRoles := bootstrappolicy.ControllerRoles() openshiftControllerRoles := ControllerRoles() // Eventually openshift controllers and kube controllers have different prefixes @@ -757,26 +744,14 @@ func GetBootstrapClusterRoles() []rbacv1.ClusterRole { } conflictingNames := kubeClusterRoleNames.Intersection(openshiftClusterRoleNames) - extraRBACConflicts := conflictingNames.Difference(clusterRoleConflicts) - extraWhitelistEntries := clusterRoleConflicts.Difference(conflictingNames) - switch { - case len(extraRBACConflicts) > 0 && len(extraWhitelistEntries) > 0: - panic(fmt.Sprintf("kube ClusterRoles conflict with openshift ClusterRoles: %v and ClusterRole whitelist contains a extraneous entries: %v ", extraRBACConflicts.List(), extraWhitelistEntries.List())) - case len(extraRBACConflicts) > 0: - panic(fmt.Sprintf("kube ClusterRoles conflict with openshift ClusterRoles: %v", extraRBACConflicts.List())) - case len(extraWhitelistEntries) > 0: - panic(fmt.Sprintf("ClusterRole whitelist contains a extraneous entries: %v", extraWhitelistEntries.List())) + if len(conflictingNames) > 0 { + panic(fmt.Sprintf("kube ClusterRoles conflict with openshift ClusterRoles: %v", conflictingNames.List())) } finalClusterRoles := []rbacv1.ClusterRole{} finalClusterRoles = append(finalClusterRoles, openshiftClusterRoles...) finalClusterRoles = append(finalClusterRoles, openshiftControllerRoles...) - finalClusterRoles = append(finalClusterRoles, kubeSAClusterRoles...) - for i := range kubeClusterRoles { - if !clusterRoleConflicts.Has(kubeClusterRoles[i].Name) { - finalClusterRoles = append(finalClusterRoles, kubeClusterRoles[i]) - } - } + finalClusterRoles = append(finalClusterRoles, kubeClusterRoles...) // TODO we should not do this for kube cluster roles since we cannot control them once we run on top of kube // conditionally add the web console annotations @@ -876,7 +851,7 @@ func GetOpenshiftBootstrapClusterRoleBindings() []rbacv1.ClusterRoleBinding { newOriginClusterBinding(WebHooksRoleBindingName, WebHooksRoleName). Groups(AuthenticatedGroup, UnauthenticatedGroup). BindingOrDie(), - newOriginClusterBinding(DiscoveryRoleBindingName, DiscoveryRoleName). + rbacv1helpers.NewClusterBinding(DiscoveryRoleName). Groups(AuthenticatedGroup, UnauthenticatedGroup). BindingOrDie(), // Allow all build strategies by default. @@ -915,7 +890,6 @@ func GetBootstrapClusterRoleBindings() []rbacv1.ClusterRoleBinding { openshiftClusterRoleBindings = append(openshiftClusterRoleBindings, GetDeadClusterRoleBindings()...) kubeClusterRoleBindings := bootstrappolicy.ClusterRoleBindings() - kubeControllerClusterRoleBindings := bootstrappolicy.ControllerRoleBindings() openshiftControllerClusterRoleBindings := ControllerRoleBindings() // openshift controllers and kube controllers have different prefixes @@ -930,44 +904,17 @@ func GetBootstrapClusterRoleBindings() []rbacv1.ClusterRoleBinding { } conflictingNames := kubeClusterRoleBindingNames.Intersection(openshiftClusterRoleBindingNames) - extraRBACConflicts := conflictingNames.Difference(clusterRoleBindingConflicts) - extraWhitelistEntries := clusterRoleBindingConflicts.Difference(conflictingNames) - switch { - case len(extraRBACConflicts) > 0 && len(extraWhitelistEntries) > 0: - panic(fmt.Sprintf("kube ClusterRoleBindings conflict with openshift ClusterRoleBindings: %v and ClusterRoleBinding whitelist contains a extraneous entries: %v ", extraRBACConflicts.List(), extraWhitelistEntries.List())) - case len(extraRBACConflicts) > 0: - panic(fmt.Sprintf("kube ClusterRoleBindings conflict with openshift ClusterRoleBindings: %v", extraRBACConflicts.List())) - case len(extraWhitelistEntries) > 0: - panic(fmt.Sprintf("ClusterRoleBinding whitelist contains a extraneous entries: %v", extraWhitelistEntries.List())) + if len(conflictingNames) > 0 { + panic(fmt.Sprintf("kube ClusterRoleBindings conflict with openshift ClusterRoleBindings: %v", conflictingNames.List())) } finalClusterRoleBindings := []rbacv1.ClusterRoleBinding{} finalClusterRoleBindings = append(finalClusterRoleBindings, openshiftClusterRoleBindings...) - finalClusterRoleBindings = append(finalClusterRoleBindings, kubeControllerClusterRoleBindings...) finalClusterRoleBindings = append(finalClusterRoleBindings, openshiftControllerClusterRoleBindings...) - for i := range kubeClusterRoleBindings { - if !clusterRoleBindingConflicts.Has(kubeClusterRoleBindings[i].Name) { - finalClusterRoleBindings = append(finalClusterRoleBindings, kubeClusterRoleBindings[i]) - } - } return finalClusterRoleBindings } -// clusterRoleConflicts lists the roles which are known to conflict with upstream and which we have manually -// deconflicted with our own. -var clusterRoleConflicts = sets.NewString( - // TODO this should probably be re-swizzled to be the delta on top of the kube role - "system:discovery", - - // TODO these should be reconsidered - "cluster-admin", -) - -// clusterRoleBindingConflicts lists the roles which are known to conflict with upstream and which we have manually -// deconflicted with our own. -var clusterRoleBindingConflicts = sets.NewString() - // The current list of roles considered useful for normal users (non-admin) var rolesToShow = sets.NewString( "admin", diff --git a/pkg/cmd/server/bootstrappolicy/web_console_role_test.go b/pkg/cmd/server/bootstrappolicy/web_console_role_test.go index 63f0b1583407..6d4b9418be6d 100644 --- a/pkg/cmd/server/bootstrappolicy/web_console_role_test.go +++ b/pkg/cmd/server/bootstrappolicy/web_console_role_test.go @@ -66,6 +66,7 @@ var rolesToHide = sets.NewString( "system:openshift:aggregate-to-edit", "system:openshift:aggregate-to-view", "system:openshift:aggregate-to-cluster-reader", + "system:openshift:discovery", "system:kubelet-api-admin", "system:volume-scheduler", ) diff --git a/pkg/cmd/server/kubernetes/master/master_config.go b/pkg/cmd/server/kubernetes/master/master_config.go index 72351ec2cd77..6d04007a4a74 100644 --- a/pkg/cmd/server/kubernetes/master/master_config.go +++ b/pkg/cmd/server/kubernetes/master/master_config.go @@ -51,7 +51,6 @@ import ( "k8s.io/kubernetes/pkg/registry/cachesize" "k8s.io/kubernetes/pkg/registry/core/endpoint" endpointsstorage "k8s.io/kubernetes/pkg/registry/core/endpoint/storage" - rbacrest "k8s.io/kubernetes/pkg/registry/rbac/rest" kversion "k8s.io/kubernetes/pkg/version" "github.com/openshift/library-go/pkg/crypto" @@ -412,9 +411,6 @@ func (rc *incompleteKubeMasterConfig) Complete( genericConfig.PublicAddress = publicAddress genericConfig.Authentication.Authenticator = originAuthenticator // this is used to fulfill the tokenreviews endpoint which is used by node authentication genericConfig.Authorization.Authorizer = kubeAuthorizer // this is used to fulfill the kube SAR endpoints - genericConfig.DisabledPostStartHooks.Insert(rbacrest.PostStartHookName) - // This disables the ThirdPartyController which removes handlers from our go-restful containers. The remove functionality is broken and destroys the serve mux. - genericConfig.DisabledPostStartHooks.Insert("extensions/third-party-resources") genericConfig.AdmissionControl = admissionControl genericConfig.RequestInfoResolver = configprocessing.OpenshiftRequestInfoResolver() genericConfig.OpenAPIConfig = configprocessing.DefaultOpenAPIConfig(masterConfig) diff --git a/test/integration/master_routes_test.go b/test/integration/master_routes_test.go index a3b3a65d590d..f940c92cf808 100644 --- a/test/integration/master_routes_test.go +++ b/test/integration/master_routes_test.go @@ -125,6 +125,7 @@ var expectedIndex = []string{ "/healthz/poststarthook/project.openshift.io-projectauthorizationcache", "/healthz/poststarthook/project.openshift.io-projectcache", "/healthz/poststarthook/quota.openshift.io-clusterquotamapping", + "/healthz/poststarthook/rbac/bootstrap-roles", "/healthz/poststarthook/scheduling/bootstrap-system-priority-classes", "/healthz/poststarthook/security.openshift.io-bootstrapscc", "/healthz/poststarthook/start-apiextensions-controllers",