Merge pull request #8455 from deads2k/image-auditor

Merged by openshift-bot

pkg/cmd/server/bootstrappolicy/constants.go

@@ -63,6 +63,7 @@ const (
 	RegistryViewerRoleName = "registry-viewer"
 	RegistryEditorRoleName = "registry-editor"
 
+	ImageAuditorRoleName      = "system:image-auditor"
 	ImagePullerRoleName       = "system:image-puller"
 	ImagePusherRoleName       = "system:image-pusher"
 	ImageBuilderRoleName      = "system:image-builder"

pkg/cmd/server/bootstrappolicy/policy.go

@@ -11,6 +11,7 @@ import (
 
 	"github.com/openshift/origin/pkg/api"
 	authorizationapi "github.com/openshift/origin/pkg/authorization/api"
+	imageapi "github.com/openshift/origin/pkg/image/api"
 )
 
 func GetBootstrapOpenshiftRoles(openshiftNamespace string) []authorizationapi.Role {
@@ -302,6 +303,18 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole {
 				},
 			},
 		},
+		{
+			ObjectMeta: kapi.ObjectMeta{
+				Name: ImageAuditorRoleName,
+			},
+			Rules: []authorizationapi.PolicyRule{
+				{
+					APIGroups: []string{imageapi.GroupName},
+					Verbs:     sets.NewString("get", "list", "watch", "patch", "update"),
+					Resources: sets.NewString("images"),
+				},
+			},
+		},
 		{
 			ObjectMeta: kapi.ObjectMeta{
 				Name: ImagePullerRoleName,

test/fixtures/bootstrappolicy/bootstrap_cluster_roles.yaml

@@ -671,6 +671,23 @@ items:
     resources: []
     verbs:
     - get
+- apiVersion: v1
+  kind: ClusterRole
+  metadata:
+    creationTimestamp: null
+    name: system:image-auditor
+  rules:
+  - apiGroups:
+    - ""
+    attributeRestrictions: null
+    resources:
+    - images
+    verbs:
+    - get
+    - list
+    - patch
+    - update
+    - watch
 - apiVersion: v1
   kind: ClusterRole
   metadata: