Skip to content

Commit ae9e381

Browse files
carlorycarlory
committed
remove unneeded permissions for system:controller:persistent-volume-binder and system:controller:expand-controller clusterroles
1 parent 20b2167 commit ae9e381

File tree

2 files changed

+22
-59
lines changed

2 files changed

+22
-59
lines changed

plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go

Lines changed: 7 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -188,11 +188,10 @@ func buildControllerRoles() ([]rbacv1.ClusterRole, []rbacv1.ClusterRoleBinding)
188188
rbacv1helpers.NewRule("get", "list", "watch", "update", "patch").Groups(legacyGroup).Resources("persistentvolumes").RuleOrDie(),
189189
rbacv1helpers.NewRule("update", "patch").Groups(legacyGroup).Resources("persistentvolumeclaims/status").RuleOrDie(),
190190
rbacv1helpers.NewRule("get", "list", "watch").Groups(legacyGroup).Resources("persistentvolumeclaims").RuleOrDie(),
191-
// glusterfs
192-
rbacv1helpers.NewRule("get", "list", "watch").Groups(storageGroup).Resources("storageclasses").RuleOrDie(),
193-
rbacv1helpers.NewRule("get").Groups(legacyGroup).Resources("services", "endpoints").RuleOrDie(),
194-
rbacv1helpers.NewRule("get").Groups(legacyGroup).Resources("secrets").RuleOrDie(),
195191
eventsRule(),
192+
193+
// volume plugin - portworx
194+
rbacv1helpers.NewRule("get").Groups(legacyGroup).Resources("services").RuleOrDie(),
196195
},
197196
})
198197

@@ -286,19 +285,15 @@ func buildControllerRoles() ([]rbacv1.ClusterRole, []rbacv1.ClusterRoleBinding)
286285
rbacv1helpers.NewRule("get", "list", "watch", "update").Groups(legacyGroup).Resources("persistentvolumeclaims").RuleOrDie(),
287286
rbacv1helpers.NewRule("update").Groups(legacyGroup).Resources("persistentvolumeclaims/status").RuleOrDie(),
288287
rbacv1helpers.NewRule("list", "watch", "get", "create", "delete").Groups(legacyGroup).Resources("pods").RuleOrDie(),
289-
290-
// glusterfs
291288
rbacv1helpers.NewRule("get", "list", "watch").Groups(storageGroup).Resources("storageclasses").RuleOrDie(),
292-
rbacv1helpers.NewRule("get", "create", "update", "delete").Groups(legacyGroup).Resources("endpoints").RuleOrDie(),
293-
rbacv1helpers.NewRule("get", "create", "delete").Groups(legacyGroup).Resources("services").RuleOrDie(),
294-
rbacv1helpers.NewRule("get").Groups(legacyGroup).Resources("secrets").RuleOrDie(),
295-
// openstack
296-
rbacv1helpers.NewRule("get", "list").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
289+
rbacv1helpers.NewRule("list", "watch").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
290+
eventsRule(),
297291

298292
// recyclerClient.WatchPod
299293
rbacv1helpers.NewRule("watch").Groups(legacyGroup).Resources("events").RuleOrDie(),
300294

301-
eventsRule(),
295+
// volume plugin - portworx
296+
rbacv1helpers.NewRule("get").Groups(legacyGroup).Resources("services").RuleOrDie(),
302297
},
303298
})
304299
addControllerRole(&controllerRoles, &controllerRoleBindings, func() rbacv1.ClusterRole {

plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml

Lines changed: 15 additions & 47 deletions
Original file line numberDiff line numberDiff line change
@@ -653,27 +653,6 @@ items:
653653
- get
654654
- list
655655
- watch
656-
- apiGroups:
657-
- storage.k8s.io
658-
resources:
659-
- storageclasses
660-
verbs:
661-
- get
662-
- list
663-
- watch
664-
- apiGroups:
665-
- ""
666-
resources:
667-
- endpoints
668-
- services
669-
verbs:
670-
- get
671-
- apiGroups:
672-
- ""
673-
resources:
674-
- secrets
675-
verbs:
676-
- get
677656
- apiGroups:
678657
- ""
679658
- events.k8s.io
@@ -683,6 +662,12 @@ items:
683662
- create
684663
- patch
685664
- update
665+
- apiGroups:
666+
- ""
667+
resources:
668+
- services
669+
verbs:
670+
- get
686671
- apiVersion: rbac.authorization.k8s.io/v1
687672
kind: ClusterRole
688673
metadata:
@@ -1009,33 +994,19 @@ items:
1009994
- apiGroups:
1010995
- ""
1011996
resources:
1012-
- endpoints
997+
- nodes
1013998
verbs:
1014-
- create
1015-
- delete
1016-
- get
1017-
- update
999+
- list
1000+
- watch
10181001
- apiGroups:
10191002
- ""
1003+
- events.k8s.io
10201004
resources:
1021-
- services
1005+
- events
10221006
verbs:
10231007
- create
1024-
- delete
1025-
- get
1026-
- apiGroups:
1027-
- ""
1028-
resources:
1029-
- secrets
1030-
verbs:
1031-
- get
1032-
- apiGroups:
1033-
- ""
1034-
resources:
1035-
- nodes
1036-
verbs:
1037-
- get
1038-
- list
1008+
- patch
1009+
- update
10391010
- apiGroups:
10401011
- ""
10411012
resources:
@@ -1044,13 +1015,10 @@ items:
10441015
- watch
10451016
- apiGroups:
10461017
- ""
1047-
- events.k8s.io
10481018
resources:
1049-
- events
1019+
- services
10501020
verbs:
1051-
- create
1052-
- patch
1053-
- update
1021+
- get
10541022
- apiVersion: rbac.authorization.k8s.io/v1
10551023
kind: ClusterRole
10561024
metadata:

0 commit comments

Comments
 (0)