From 087d7660b4534442aed41346fee3a125e0ab0497 Mon Sep 17 00:00:00 2001 From: Monis Khan Date: Tue, 13 Mar 2018 16:01:31 -0400 Subject: [PATCH 1/2] UPSTREAM: : Remove write permissions on daemonsets from Kubernetes bootstrap policy Due to how daemonsets interact with the project node selector, we need to limit write access to them to the cluster admin. Bug 1536304 Bug 1501514 Signed-off-by: Monis Khan --- .../authorizer/rbac/bootstrappolicy/policy.go | 10 +++--- .../testdata/cluster-roles.yaml | 36 ++++++++++++++++--- 2 files changed, 38 insertions(+), 8 deletions(-) diff --git a/vendor/k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/vendor/k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go index b54d7c6dfdc9..774039c5267d 100644 --- a/vendor/k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go +++ b/vendor/k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go @@ -227,17 +227,18 @@ func ClusterRoles() []rbac.ClusterRole { rbac.NewRule("impersonate").Groups(legacyGroup).Resources("serviceaccounts").RuleOrDie(), rbac.NewRule(ReadWrite...).Groups(appsGroup).Resources("statefulsets", - "daemonsets", "deployments", "deployments/scale", "deployments/rollback", "replicasets", "replicasets/scale").RuleOrDie(), + rbac.NewRule(Read...).Groups(appsGroup).Resources("daemonsets").RuleOrDie(), rbac.NewRule(ReadWrite...).Groups(autoscalingGroup).Resources("horizontalpodautoscalers").RuleOrDie(), rbac.NewRule(ReadWrite...).Groups(batchGroup).Resources("jobs", "cronjobs").RuleOrDie(), - rbac.NewRule(ReadWrite...).Groups(extensionsGroup).Resources("daemonsets", + rbac.NewRule(ReadWrite...).Groups(extensionsGroup).Resources( "deployments", "deployments/scale", "deployments/rollback", "ingresses", "replicasets", "replicasets/scale", "replicationcontrollers/scale").RuleOrDie(), + rbac.NewRule(Read...).Groups(extensionsGroup).Resources("daemonsets").RuleOrDie(), rbac.NewRule(ReadWrite...).Groups(policyGroup).Resources("poddisruptionbudgets").RuleOrDie(), @@ -263,17 +264,18 @@ func ClusterRoles() []rbac.ClusterRole { rbac.NewRule("impersonate").Groups(legacyGroup).Resources("serviceaccounts").RuleOrDie(), rbac.NewRule(ReadWrite...).Groups(appsGroup).Resources("statefulsets", - "daemonsets", "deployments", "deployments/scale", "deployments/rollback", "replicasets", "replicasets/scale").RuleOrDie(), + rbac.NewRule(Read...).Groups(appsGroup).Resources("daemonsets").RuleOrDie(), rbac.NewRule(ReadWrite...).Groups(autoscalingGroup).Resources("horizontalpodautoscalers").RuleOrDie(), rbac.NewRule(ReadWrite...).Groups(batchGroup).Resources("jobs", "cronjobs").RuleOrDie(), - rbac.NewRule(ReadWrite...).Groups(extensionsGroup).Resources("daemonsets", + rbac.NewRule(ReadWrite...).Groups(extensionsGroup).Resources( "deployments", "deployments/scale", "deployments/rollback", "ingresses", "replicasets", "replicasets/scale", "replicationcontrollers/scale").RuleOrDie(), + rbac.NewRule(Read...).Groups(extensionsGroup).Resources("daemonsets").RuleOrDie(), rbac.NewRule(ReadWrite...).Groups(policyGroup).Resources("poddisruptionbudgets").RuleOrDie(), }, diff --git a/vendor/k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/vendor/k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml index 1e2a36c6289d..aadd273ce756 100644 --- a/vendor/k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml +++ b/vendor/k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml @@ -130,7 +130,6 @@ items: - apiGroups: - apps resources: - - daemonsets - deployments - deployments/rollback - deployments/scale @@ -146,6 +145,14 @@ items: - patch - update - watch + - apiGroups: + - apps + resources: + - daemonsets + verbs: + - get + - list + - watch - apiGroups: - autoscaling resources: @@ -176,7 +183,6 @@ items: - apiGroups: - extensions resources: - - daemonsets - deployments - deployments/rollback - deployments/scale @@ -193,6 +199,14 @@ items: - patch - update - watch + - apiGroups: + - extensions + resources: + - daemonsets + verbs: + - get + - list + - watch - apiGroups: - policy resources: @@ -308,7 +322,6 @@ items: - apiGroups: - apps resources: - - daemonsets - deployments - deployments/rollback - deployments/scale @@ -324,6 +337,14 @@ items: - patch - update - watch + - apiGroups: + - apps + resources: + - daemonsets + verbs: + - get + - list + - watch - apiGroups: - autoscaling resources: @@ -354,7 +375,6 @@ items: - apiGroups: - extensions resources: - - daemonsets - deployments - deployments/rollback - deployments/scale @@ -371,6 +391,14 @@ items: - patch - update - watch + - apiGroups: + - extensions + resources: + - daemonsets + verbs: + - get + - list + - watch - apiGroups: - policy resources: From a42347be22a9bb53fcc4bbb088e4f4074cb54c76 Mon Sep 17 00:00:00 2001 From: Monis Khan Date: Tue, 13 Mar 2018 16:02:14 -0400 Subject: [PATCH 2/2] Update policy tests to reflect removal of write access on daemonsets Bug 1536304 Bug 1501514 Signed-off-by: Monis Khan --- .../bootstrap_cluster_roles.yaml | 36 +++++++++++++++-- .../bootstrap_policy_file.yaml | 40 +++++++++++++++++-- 2 files changed, 68 insertions(+), 8 deletions(-) diff --git a/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml b/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml index 40596d549b22..d6542a6eabd5 100644 --- a/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml +++ b/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml @@ -4857,7 +4857,6 @@ items: - apiGroups: - apps resources: - - daemonsets - deployments - deployments/rollback - deployments/scale @@ -4873,6 +4872,14 @@ items: - patch - update - watch + - apiGroups: + - apps + resources: + - daemonsets + verbs: + - get + - list + - watch - apiGroups: - autoscaling resources: @@ -4903,7 +4910,6 @@ items: - apiGroups: - extensions resources: - - daemonsets - deployments - deployments/rollback - deployments/scale @@ -4920,6 +4926,14 @@ items: - patch - update - watch + - apiGroups: + - extensions + resources: + - daemonsets + verbs: + - get + - list + - watch - apiGroups: - policy resources: @@ -5036,7 +5050,6 @@ items: - apiGroups: - apps resources: - - daemonsets - deployments - deployments/rollback - deployments/scale @@ -5052,6 +5065,14 @@ items: - patch - update - watch + - apiGroups: + - apps + resources: + - daemonsets + verbs: + - get + - list + - watch - apiGroups: - autoscaling resources: @@ -5082,7 +5103,6 @@ items: - apiGroups: - extensions resources: - - daemonsets - deployments - deployments/rollback - deployments/scale @@ -5099,6 +5119,14 @@ items: - patch - update - watch + - apiGroups: + - extensions + resources: + - daemonsets + verbs: + - get + - list + - watch - apiGroups: - policy resources: diff --git a/test/testdata/bootstrappolicy/bootstrap_policy_file.yaml b/test/testdata/bootstrappolicy/bootstrap_policy_file.yaml index 2fe6f6d99a48..211b540cb55b 100644 --- a/test/testdata/bootstrappolicy/bootstrap_policy_file.yaml +++ b/test/testdata/bootstrappolicy/bootstrap_policy_file.yaml @@ -5319,7 +5319,6 @@ items: - apps attributeRestrictions: null resources: - - daemonsets - deployments - deployments/rollback - deployments/scale @@ -5335,6 +5334,15 @@ items: - patch - update - watch + - apiGroups: + - apps + attributeRestrictions: null + resources: + - daemonsets + verbs: + - get + - list + - watch - apiGroups: - autoscaling attributeRestrictions: null @@ -5368,7 +5376,6 @@ items: - extensions attributeRestrictions: null resources: - - daemonsets - deployments - deployments/rollback - deployments/scale @@ -5385,6 +5392,15 @@ items: - patch - update - watch + - apiGroups: + - extensions + attributeRestrictions: null + resources: + - daemonsets + verbs: + - get + - list + - watch - apiGroups: - policy attributeRestrictions: null @@ -5510,7 +5526,6 @@ items: - apps attributeRestrictions: null resources: - - daemonsets - deployments - deployments/rollback - deployments/scale @@ -5526,6 +5541,15 @@ items: - patch - update - watch + - apiGroups: + - apps + attributeRestrictions: null + resources: + - daemonsets + verbs: + - get + - list + - watch - apiGroups: - autoscaling attributeRestrictions: null @@ -5559,7 +5583,6 @@ items: - extensions attributeRestrictions: null resources: - - daemonsets - deployments - deployments/rollback - deployments/scale @@ -5576,6 +5599,15 @@ items: - patch - update - watch + - apiGroups: + - extensions + attributeRestrictions: null + resources: + - daemonsets + verbs: + - get + - list + - watch - apiGroups: - policy attributeRestrictions: null