From 6b82223138641c54582fb539b412ca5175a1e2dc Mon Sep 17 00:00:00 2001 From: Monis Khan Date: Tue, 13 Mar 2018 15:44:24 -0400 Subject: [PATCH] UPSTREAM: : Remove write permissions on daemonsets from Kubernetes bootstrap policy Due to how daemonsets interact with the project node selector, we need to limit write access to them to the cluster admin. Bug 1536304 Bug 1501514 Signed-off-by: Monis Khan --- .../bootstrap_cluster_roles.yaml | 36 +++++++++++++++-- .../bootstrap_policy_file.yaml | 40 +++++++++++++++++-- .../authorizer/rbac/bootstrappolicy/policy.go | 10 +++-- .../testdata/cluster-roles.yaml | 36 +++++++++++++++-- 4 files changed, 106 insertions(+), 16 deletions(-) diff --git a/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml b/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml index 40596d549b22..d6542a6eabd5 100644 --- a/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml +++ b/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml @@ -4857,7 +4857,6 @@ items: - apiGroups: - apps resources: - - daemonsets - deployments - deployments/rollback - deployments/scale @@ -4873,6 +4872,14 @@ items: - patch - update - watch + - apiGroups: + - apps + resources: + - daemonsets + verbs: + - get + - list + - watch - apiGroups: - autoscaling resources: @@ -4903,7 +4910,6 @@ items: - apiGroups: - extensions resources: - - daemonsets - deployments - deployments/rollback - deployments/scale @@ -4920,6 +4926,14 @@ items: - patch - update - watch + - apiGroups: + - extensions + resources: + - daemonsets + verbs: + - get + - list + - watch - apiGroups: - policy resources: @@ -5036,7 +5050,6 @@ items: - apiGroups: - apps resources: - - daemonsets - deployments - deployments/rollback - deployments/scale @@ -5052,6 +5065,14 @@ items: - patch - update - watch + - apiGroups: + - apps + resources: + - daemonsets + verbs: + - get + - list + - watch - apiGroups: - autoscaling resources: @@ -5082,7 +5103,6 @@ items: - apiGroups: - extensions resources: - - daemonsets - deployments - deployments/rollback - deployments/scale @@ -5099,6 +5119,14 @@ items: - patch - update - watch + - apiGroups: + - extensions + resources: + - daemonsets + verbs: + - get + - list + - watch - apiGroups: - policy resources: diff --git a/test/testdata/bootstrappolicy/bootstrap_policy_file.yaml b/test/testdata/bootstrappolicy/bootstrap_policy_file.yaml index 2fe6f6d99a48..211b540cb55b 100644 --- a/test/testdata/bootstrappolicy/bootstrap_policy_file.yaml +++ b/test/testdata/bootstrappolicy/bootstrap_policy_file.yaml @@ -5319,7 +5319,6 @@ items: - apps attributeRestrictions: null resources: - - daemonsets - deployments - deployments/rollback - deployments/scale @@ -5335,6 +5334,15 @@ items: - patch - update - watch + - apiGroups: + - apps + attributeRestrictions: null + resources: + - daemonsets + verbs: + - get + - list + - watch - apiGroups: - autoscaling attributeRestrictions: null @@ -5368,7 +5376,6 @@ items: - extensions attributeRestrictions: null resources: - - daemonsets - deployments - deployments/rollback - deployments/scale @@ -5385,6 +5392,15 @@ items: - patch - update - watch + - apiGroups: + - extensions + attributeRestrictions: null + resources: + - daemonsets + verbs: + - get + - list + - watch - apiGroups: - policy attributeRestrictions: null @@ -5510,7 +5526,6 @@ items: - apps attributeRestrictions: null resources: - - daemonsets - deployments - deployments/rollback - deployments/scale @@ -5526,6 +5541,15 @@ items: - patch - update - watch + - apiGroups: + - apps + attributeRestrictions: null + resources: + - daemonsets + verbs: + - get + - list + - watch - apiGroups: - autoscaling attributeRestrictions: null @@ -5559,7 +5583,6 @@ items: - extensions attributeRestrictions: null resources: - - daemonsets - deployments - deployments/rollback - deployments/scale @@ -5576,6 +5599,15 @@ items: - patch - update - watch + - apiGroups: + - extensions + attributeRestrictions: null + resources: + - daemonsets + verbs: + - get + - list + - watch - apiGroups: - policy attributeRestrictions: null diff --git a/vendor/k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/vendor/k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go index b54d7c6dfdc9..774039c5267d 100644 --- a/vendor/k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go +++ b/vendor/k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go @@ -227,17 +227,18 @@ func ClusterRoles() []rbac.ClusterRole { rbac.NewRule("impersonate").Groups(legacyGroup).Resources("serviceaccounts").RuleOrDie(), rbac.NewRule(ReadWrite...).Groups(appsGroup).Resources("statefulsets", - "daemonsets", "deployments", "deployments/scale", "deployments/rollback", "replicasets", "replicasets/scale").RuleOrDie(), + rbac.NewRule(Read...).Groups(appsGroup).Resources("daemonsets").RuleOrDie(), rbac.NewRule(ReadWrite...).Groups(autoscalingGroup).Resources("horizontalpodautoscalers").RuleOrDie(), rbac.NewRule(ReadWrite...).Groups(batchGroup).Resources("jobs", "cronjobs").RuleOrDie(), - rbac.NewRule(ReadWrite...).Groups(extensionsGroup).Resources("daemonsets", + rbac.NewRule(ReadWrite...).Groups(extensionsGroup).Resources( "deployments", "deployments/scale", "deployments/rollback", "ingresses", "replicasets", "replicasets/scale", "replicationcontrollers/scale").RuleOrDie(), + rbac.NewRule(Read...).Groups(extensionsGroup).Resources("daemonsets").RuleOrDie(), rbac.NewRule(ReadWrite...).Groups(policyGroup).Resources("poddisruptionbudgets").RuleOrDie(), @@ -263,17 +264,18 @@ func ClusterRoles() []rbac.ClusterRole { rbac.NewRule("impersonate").Groups(legacyGroup).Resources("serviceaccounts").RuleOrDie(), rbac.NewRule(ReadWrite...).Groups(appsGroup).Resources("statefulsets", - "daemonsets", "deployments", "deployments/scale", "deployments/rollback", "replicasets", "replicasets/scale").RuleOrDie(), + rbac.NewRule(Read...).Groups(appsGroup).Resources("daemonsets").RuleOrDie(), rbac.NewRule(ReadWrite...).Groups(autoscalingGroup).Resources("horizontalpodautoscalers").RuleOrDie(), rbac.NewRule(ReadWrite...).Groups(batchGroup).Resources("jobs", "cronjobs").RuleOrDie(), - rbac.NewRule(ReadWrite...).Groups(extensionsGroup).Resources("daemonsets", + rbac.NewRule(ReadWrite...).Groups(extensionsGroup).Resources( "deployments", "deployments/scale", "deployments/rollback", "ingresses", "replicasets", "replicasets/scale", "replicationcontrollers/scale").RuleOrDie(), + rbac.NewRule(Read...).Groups(extensionsGroup).Resources("daemonsets").RuleOrDie(), rbac.NewRule(ReadWrite...).Groups(policyGroup).Resources("poddisruptionbudgets").RuleOrDie(), }, diff --git a/vendor/k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/vendor/k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml index 1e2a36c6289d..aadd273ce756 100644 --- a/vendor/k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml +++ b/vendor/k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml @@ -130,7 +130,6 @@ items: - apiGroups: - apps resources: - - daemonsets - deployments - deployments/rollback - deployments/scale @@ -146,6 +145,14 @@ items: - patch - update - watch + - apiGroups: + - apps + resources: + - daemonsets + verbs: + - get + - list + - watch - apiGroups: - autoscaling resources: @@ -176,7 +183,6 @@ items: - apiGroups: - extensions resources: - - daemonsets - deployments - deployments/rollback - deployments/scale @@ -193,6 +199,14 @@ items: - patch - update - watch + - apiGroups: + - extensions + resources: + - daemonsets + verbs: + - get + - list + - watch - apiGroups: - policy resources: @@ -308,7 +322,6 @@ items: - apiGroups: - apps resources: - - daemonsets - deployments - deployments/rollback - deployments/scale @@ -324,6 +337,14 @@ items: - patch - update - watch + - apiGroups: + - apps + resources: + - daemonsets + verbs: + - get + - list + - watch - apiGroups: - autoscaling resources: @@ -354,7 +375,6 @@ items: - apiGroups: - extensions resources: - - daemonsets - deployments - deployments/rollback - deployments/scale @@ -371,6 +391,14 @@ items: - patch - update - watch + - apiGroups: + - extensions + resources: + - daemonsets + verbs: + - get + - list + - watch - apiGroups: - policy resources: