1
16
17 package bootstrappolicy
18
19 import (
20 capi "k8s.io/api/certificates/v1beta1"
21 rbacv1 "k8s.io/api/rbac/v1"
22 "k8s.io/apimachinery/pkg/api/meta"
23 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
24 "k8s.io/apimachinery/pkg/runtime"
25 "k8s.io/apiserver/pkg/authentication/serviceaccount"
26 "k8s.io/apiserver/pkg/authentication/user"
27 utilfeature "k8s.io/apiserver/pkg/util/feature"
28 rbacv1helpers "k8s.io/kubernetes/pkg/apis/rbac/v1"
29 "k8s.io/kubernetes/pkg/features"
30 )
31
32
33
34 var (
35 Write = []string{"create", "update", "patch", "delete", "deletecollection"}
36 ReadWrite = []string{"get", "list", "watch", "create", "update", "patch", "delete", "deletecollection"}
37 Read = []string{"get", "list", "watch"}
38 ReadUpdate = []string{"get", "list", "watch", "update", "patch"}
39
40 Label = map[string]string{"kubernetes.io/bootstrapping": "rbac-defaults"}
41 Annotation = map[string]string{rbacv1.AutoUpdateAnnotationKey: "true"}
42 )
43
44 const (
45 legacyGroup = ""
46 appsGroup = "apps"
47 authenticationGroup = "authentication.k8s.io"
48 authorizationGroup = "authorization.k8s.io"
49 autoscalingGroup = "autoscaling"
50 batchGroup = "batch"
51 certificatesGroup = "certificates.k8s.io"
52 coordinationGroup = "coordination.k8s.io"
53 discoveryGroup = "discovery.k8s.io"
54 extensionsGroup = "extensions"
55 policyGroup = "policy"
56 rbacGroup = "rbac.authorization.k8s.io"
57 resourceGroup = "resource.k8s.io"
58 storageGroup = "storage.k8s.io"
59 resMetricsGroup = "metrics.k8s.io"
60 customMetricsGroup = "custom.metrics.k8s.io"
61 externalMetricsGroup = "external.metrics.k8s.io"
62 networkingGroup = "networking.k8s.io"
63 eventsGroup = "events.k8s.io"
64 internalAPIServerGroup = "internal.apiserver.k8s.io"
65 admissionRegistrationGroup = "admissionregistration.k8s.io"
66 storageVersionMigrationGroup = "storagemigration.k8s.io"
67 )
68
69 func addDefaultMetadata(obj runtime.Object) {
70 metadata, err := meta.Accessor(obj)
71 if err != nil {
72
73 panic(err)
74 }
75
76 labels := metadata.GetLabels()
77 if labels == nil {
78 labels = map[string]string{}
79 }
80 for k, v := range Label {
81 labels[k] = v
82 }
83 metadata.SetLabels(labels)
84
85 annotations := metadata.GetAnnotations()
86 if annotations == nil {
87 annotations = map[string]string{}
88 }
89 for k, v := range Annotation {
90 annotations[k] = v
91 }
92 metadata.SetAnnotations(annotations)
93 }
94
95 func addClusterRoleLabel(roles []rbacv1.ClusterRole) {
96 for i := range roles {
97 addDefaultMetadata(&roles[i])
98 }
99 return
100 }
101
102 func addClusterRoleBindingLabel(rolebindings []rbacv1.ClusterRoleBinding) {
103 for i := range rolebindings {
104 addDefaultMetadata(&rolebindings[i])
105 }
106 return
107 }
108
109
110 func NodeRules() []rbacv1.PolicyRule {
111 nodePolicyRules := []rbacv1.PolicyRule{
112
113 rbacv1helpers.NewRule("create").Groups(authenticationGroup).Resources("tokenreviews").RuleOrDie(),
114 rbacv1helpers.NewRule("create").Groups(authorizationGroup).Resources("subjectaccessreviews", "localsubjectaccessreviews").RuleOrDie(),
115
116
117 rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("services").RuleOrDie(),
118
119
120
121 rbacv1helpers.NewRule("create", "get", "list", "watch").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
122 rbacv1helpers.NewRule("update", "patch").Groups(legacyGroup).Resources("nodes/status").RuleOrDie(),
123 rbacv1helpers.NewRule("update", "patch").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
124
125
126 rbacv1helpers.NewRule("create", "update", "patch").Groups(legacyGroup).Resources("events").RuleOrDie(),
127
128
129 rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("pods").RuleOrDie(),
130
131
132
133 rbacv1helpers.NewRule("create", "delete").Groups(legacyGroup).Resources("pods").RuleOrDie(),
134
135
136 rbacv1helpers.NewRule("update", "patch").Groups(legacyGroup).Resources("pods/status").RuleOrDie(),
137
138
139 rbacv1helpers.NewRule("create").Groups(legacyGroup).Resources("pods/eviction").RuleOrDie(),
140
141
142
143
144 rbacv1helpers.NewRule("get", "list", "watch").Groups(legacyGroup).Resources("secrets", "configmaps").RuleOrDie(),
145
146
147 rbacv1helpers.NewRule("get").Groups(legacyGroup).Resources("persistentvolumeclaims", "persistentvolumes").RuleOrDie(),
148
149
150
151 rbacv1helpers.NewRule("get").Groups(legacyGroup).Resources("endpoints").RuleOrDie(),
152
153
154 rbacv1helpers.NewRule("create", "get", "list", "watch").Groups(certificatesGroup).Resources("certificatesigningrequests").RuleOrDie(),
155
156
157 rbacv1helpers.NewRule("get", "create", "update", "patch", "delete").Groups("coordination.k8s.io").Resources("leases").RuleOrDie(),
158
159
160 rbacv1helpers.NewRule("get").Groups(storageGroup).Resources("volumeattachments").RuleOrDie(),
161
162
163
164 rbacv1helpers.NewRule("create").Groups(legacyGroup).Resources("serviceaccounts/token").RuleOrDie(),
165 }
166
167
168
169 pvcStatusPolicyRule := rbacv1helpers.NewRule("get", "update", "patch").Groups(legacyGroup).Resources("persistentvolumeclaims/status").RuleOrDie()
170 nodePolicyRules = append(nodePolicyRules, pvcStatusPolicyRule)
171
172
173 csiDriverRule := rbacv1helpers.NewRule("get", "watch", "list").Groups("storage.k8s.io").Resources("csidrivers").RuleOrDie()
174 nodePolicyRules = append(nodePolicyRules, csiDriverRule)
175 csiNodeInfoRule := rbacv1helpers.NewRule("get", "create", "update", "patch", "delete").Groups("storage.k8s.io").Resources("csinodes").RuleOrDie()
176 nodePolicyRules = append(nodePolicyRules, csiNodeInfoRule)
177
178
179 nodePolicyRules = append(nodePolicyRules, rbacv1helpers.NewRule("get", "list", "watch").Groups("node.k8s.io").Resources("runtimeclasses").RuleOrDie())
180
181
182 if utilfeature.DefaultFeatureGate.Enabled(features.DynamicResourceAllocation) {
183 nodePolicyRules = append(nodePolicyRules, rbacv1helpers.NewRule("get").Groups(resourceGroup).Resources("resourceclaims").RuleOrDie())
184 }
185
186 if utilfeature.DefaultFeatureGate.Enabled(features.ClusterTrustBundle) {
187 nodePolicyRules = append(nodePolicyRules, rbacv1helpers.NewRule("get", "list", "watch").Groups(certificatesGroup).Resources("clustertrustbundles").RuleOrDie())
188 }
189
190 return nodePolicyRules
191 }
192
193
194 func ClusterRoles() []rbacv1.ClusterRole {
195 roles := []rbacv1.ClusterRole{
196 {
197
198 ObjectMeta: metav1.ObjectMeta{Name: "cluster-admin"},
199 Rules: []rbacv1.PolicyRule{
200 rbacv1helpers.NewRule("*").Groups("*").Resources("*").RuleOrDie(),
201 rbacv1helpers.NewRule("*").URLs("*").RuleOrDie(),
202 },
203 },
204 {
205
206
207 ObjectMeta: metav1.ObjectMeta{Name: "system:discovery"},
208 Rules: []rbacv1.PolicyRule{
209 rbacv1helpers.NewRule("get").URLs(
210 "/livez", "/readyz", "/healthz",
211 "/version", "/version/",
212 "/openapi", "/openapi/*",
213 "/api", "/api/*",
214 "/apis", "/apis/*",
215 ).RuleOrDie(),
216 },
217 },
218 {
219
220
221
222
223 ObjectMeta: metav1.ObjectMeta{Name: "system:monitoring"},
224 Rules: []rbacv1.PolicyRule{
225 rbacv1helpers.NewRule("get").URLs(
226 "/metrics", "/metrics/slis",
227 "/livez", "/readyz", "/healthz",
228 "/livez/*", "/readyz/*", "/healthz/*",
229 ).RuleOrDie(),
230 },
231 },
232 }
233
234 basicUserRules := []rbacv1.PolicyRule{
235 rbacv1helpers.NewRule("create").Groups(authorizationGroup).Resources("selfsubjectaccessreviews", "selfsubjectrulesreviews").RuleOrDie(),
236 rbacv1helpers.NewRule("create").Groups(authenticationGroup).Resources("selfsubjectreviews").RuleOrDie(),
237 }
238
239 roles = append(roles, []rbacv1.ClusterRole{
240 {
241
242 ObjectMeta: metav1.ObjectMeta{Name: "system:basic-user"},
243 Rules: basicUserRules,
244 },
245 {
246
247 ObjectMeta: metav1.ObjectMeta{Name: "system:public-info-viewer"},
248 Rules: []rbacv1.PolicyRule{
249 rbacv1helpers.NewRule("get").URLs(
250 "/livez", "/readyz", "/healthz", "/version", "/version/",
251 ).RuleOrDie(),
252 },
253 },
254 {
255
256 ObjectMeta: metav1.ObjectMeta{Name: "admin"},
257 AggregationRule: &rbacv1.AggregationRule{
258 ClusterRoleSelectors: []metav1.LabelSelector{
259 {MatchLabels: map[string]string{"rbac.authorization.k8s.io/aggregate-to-admin": "true"}},
260 },
261 },
262 },
263 {
264
265
266
267 ObjectMeta: metav1.ObjectMeta{Name: "edit", Labels: map[string]string{"rbac.authorization.k8s.io/aggregate-to-admin": "true"}},
268 AggregationRule: &rbacv1.AggregationRule{
269 ClusterRoleSelectors: []metav1.LabelSelector{
270 {MatchLabels: map[string]string{"rbac.authorization.k8s.io/aggregate-to-edit": "true"}},
271 },
272 },
273 },
274 {
275
276
277 ObjectMeta: metav1.ObjectMeta{Name: "view", Labels: map[string]string{"rbac.authorization.k8s.io/aggregate-to-edit": "true"}},
278 AggregationRule: &rbacv1.AggregationRule{
279 ClusterRoleSelectors: []metav1.LabelSelector{
280 {MatchLabels: map[string]string{"rbac.authorization.k8s.io/aggregate-to-view": "true"}},
281 },
282 },
283 },
284 {
285
286 ObjectMeta: metav1.ObjectMeta{Name: "system:aggregate-to-admin", Labels: map[string]string{"rbac.authorization.k8s.io/aggregate-to-admin": "true"}},
287 Rules: []rbacv1.PolicyRule{
288
289 rbacv1helpers.NewRule("create").Groups(authorizationGroup).Resources("localsubjectaccessreviews").RuleOrDie(),
290 rbacv1helpers.NewRule(ReadWrite...).Groups(rbacGroup).Resources("roles", "rolebindings").RuleOrDie(),
291 },
292 },
293 {
294
295
296
297 ObjectMeta: metav1.ObjectMeta{Name: "system:aggregate-to-edit", Labels: map[string]string{"rbac.authorization.k8s.io/aggregate-to-edit": "true"}},
298 Rules: []rbacv1.PolicyRule{
299
300 rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("pods/attach", "pods/proxy", "pods/exec", "pods/portforward", "secrets", "services/proxy").RuleOrDie(),
301 rbacv1helpers.NewRule("impersonate").Groups(legacyGroup).Resources("serviceaccounts").RuleOrDie(),
302
303 rbacv1helpers.NewRule(Write...).Groups(legacyGroup).Resources("pods", "pods/attach", "pods/proxy", "pods/exec", "pods/portforward").RuleOrDie(),
304 rbacv1helpers.NewRule("create").Groups(legacyGroup).Resources("pods/eviction").RuleOrDie(),
305 rbacv1helpers.NewRule(Write...).Groups(legacyGroup).Resources("replicationcontrollers", "replicationcontrollers/scale", "serviceaccounts",
306 "services", "services/proxy", "persistentvolumeclaims", "configmaps", "secrets", "events").RuleOrDie(),
307 rbacv1helpers.NewRule("create").Groups(legacyGroup).Resources("serviceaccounts/token").RuleOrDie(),
308
309 rbacv1helpers.NewRule(Write...).Groups(appsGroup).Resources(
310 "statefulsets", "statefulsets/scale",
311 "daemonsets",
312 "deployments", "deployments/scale", "deployments/rollback",
313 "replicasets", "replicasets/scale").RuleOrDie(),
314
315 rbacv1helpers.NewRule(Write...).Groups(autoscalingGroup).Resources("horizontalpodautoscalers").RuleOrDie(),
316
317 rbacv1helpers.NewRule(Write...).Groups(batchGroup).Resources("jobs", "cronjobs").RuleOrDie(),
318
319 rbacv1helpers.NewRule(Write...).Groups(extensionsGroup).Resources("daemonsets",
320 "deployments", "deployments/scale", "deployments/rollback", "ingresses",
321 "replicasets", "replicasets/scale", "replicationcontrollers/scale",
322 "networkpolicies").RuleOrDie(),
323
324 rbacv1helpers.NewRule(Write...).Groups(policyGroup).Resources("poddisruptionbudgets").RuleOrDie(),
325
326 rbacv1helpers.NewRule(Write...).Groups(networkingGroup).Resources("networkpolicies", "ingresses").RuleOrDie(),
327
328 rbacv1helpers.NewRule(ReadWrite...).Groups(coordinationGroup).Resources("leases").RuleOrDie(),
329 },
330 },
331 {
332
333
334 ObjectMeta: metav1.ObjectMeta{Name: "system:aggregate-to-view", Labels: map[string]string{"rbac.authorization.k8s.io/aggregate-to-view": "true"}},
335 Rules: []rbacv1.PolicyRule{
336 rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("pods", "replicationcontrollers", "replicationcontrollers/scale", "serviceaccounts",
337 "services", "services/status", "endpoints", "persistentvolumeclaims", "persistentvolumeclaims/status", "configmaps").RuleOrDie(),
338 rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("limitranges", "resourcequotas", "bindings", "events",
339 "pods/status", "resourcequotas/status", "namespaces/status", "replicationcontrollers/status", "pods/log").RuleOrDie(),
340
341
342 rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("namespaces").RuleOrDie(),
343
344 rbacv1helpers.NewRule(Read...).Groups(discoveryGroup).Resources("endpointslices").RuleOrDie(),
345
346 rbacv1helpers.NewRule(Read...).Groups(appsGroup).Resources(
347 "controllerrevisions",
348 "statefulsets", "statefulsets/status", "statefulsets/scale",
349 "daemonsets", "daemonsets/status",
350 "deployments", "deployments/status", "deployments/scale",
351 "replicasets", "replicasets/status", "replicasets/scale").RuleOrDie(),
352
353 rbacv1helpers.NewRule(Read...).Groups(autoscalingGroup).Resources("horizontalpodautoscalers", "horizontalpodautoscalers/status").RuleOrDie(),
354
355 rbacv1helpers.NewRule(Read...).Groups(batchGroup).Resources("jobs", "cronjobs", "cronjobs/status", "jobs/status").RuleOrDie(),
356
357 rbacv1helpers.NewRule(Read...).Groups(extensionsGroup).Resources("daemonsets", "daemonsets/status", "deployments", "deployments/scale", "deployments/status",
358 "ingresses", "ingresses/status", "replicasets", "replicasets/scale", "replicasets/status", "replicationcontrollers/scale",
359 "networkpolicies").RuleOrDie(),
360
361 rbacv1helpers.NewRule(Read...).Groups(policyGroup).Resources("poddisruptionbudgets", "poddisruptionbudgets/status").RuleOrDie(),
362
363 rbacv1helpers.NewRule(Read...).Groups(networkingGroup).Resources("networkpolicies", "ingresses", "ingresses/status").RuleOrDie(),
364 },
365 },
366 {
367
368 ObjectMeta: metav1.ObjectMeta{Name: "system:heapster"},
369 Rules: []rbacv1.PolicyRule{
370 rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("events", "pods", "nodes", "namespaces").RuleOrDie(),
371 rbacv1helpers.NewRule(Read...).Groups(extensionsGroup).Resources("deployments").RuleOrDie(),
372 },
373 },
374 {
375
376 ObjectMeta: metav1.ObjectMeta{Name: systemNodeRoleName},
377 Rules: NodeRules(),
378 },
379 {
380
381
382 ObjectMeta: metav1.ObjectMeta{Name: "system:node-problem-detector"},
383 Rules: []rbacv1.PolicyRule{
384 rbacv1helpers.NewRule("get").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
385 rbacv1helpers.NewRule("patch").Groups(legacyGroup).Resources("nodes/status").RuleOrDie(),
386 eventsRule(),
387 },
388 },
389 {
390
391 ObjectMeta: metav1.ObjectMeta{Name: "system:kubelet-api-admin"},
392 Rules: []rbacv1.PolicyRule{
393
394 rbacv1helpers.NewRule("get", "list", "watch").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
395
396 rbacv1helpers.NewRule("proxy").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
397 rbacv1helpers.NewRule("*").Groups(legacyGroup).Resources("nodes/proxy", "nodes/metrics", "nodes/stats", "nodes/log").RuleOrDie(),
398 },
399 },
400 {
401
402 ObjectMeta: metav1.ObjectMeta{Name: "system:node-bootstrapper"},
403 Rules: []rbacv1.PolicyRule{
404
405 rbacv1helpers.NewRule("create", "get", "list", "watch").Groups(certificatesGroup).Resources("certificatesigningrequests").RuleOrDie(),
406 },
407 },
408 {
409
410 ObjectMeta: metav1.ObjectMeta{Name: "system:auth-delegator"},
411 Rules: []rbacv1.PolicyRule{
412
413 rbacv1helpers.NewRule("create").Groups(authenticationGroup).Resources("tokenreviews").RuleOrDie(),
414 rbacv1helpers.NewRule("create").Groups(authorizationGroup).Resources("subjectaccessreviews").RuleOrDie(),
415 },
416 },
417 {
418
419 ObjectMeta: metav1.ObjectMeta{Name: "system:kube-aggregator"},
420 Rules: []rbacv1.PolicyRule{
421
422 rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("services", "endpoints").RuleOrDie(),
423 },
424 },
425 {
426
427
428 ObjectMeta: metav1.ObjectMeta{Name: "system:kube-controller-manager"},
429 Rules: []rbacv1.PolicyRule{
430 eventsRule(),
431
432 rbacv1helpers.NewRule("create").Groups(coordinationGroup).Resources("leases").RuleOrDie(),
433 rbacv1helpers.NewRule("get", "update").Groups(coordinationGroup).Resources("leases").Names("kube-controller-manager").RuleOrDie(),
434
435 rbacv1helpers.NewRule("create").Groups(legacyGroup).Resources("secrets", "serviceaccounts").RuleOrDie(),
436 rbacv1helpers.NewRule("delete").Groups(legacyGroup).Resources("secrets").RuleOrDie(),
437 rbacv1helpers.NewRule("get").Groups(legacyGroup).Resources("namespaces", "secrets", "serviceaccounts", "configmaps").RuleOrDie(),
438 rbacv1helpers.NewRule("update").Groups(legacyGroup).Resources("secrets", "serviceaccounts").RuleOrDie(),
439
440 rbacv1helpers.NewRule("create").Groups(authenticationGroup).Resources("tokenreviews").RuleOrDie(),
441 rbacv1helpers.NewRule("create").Groups(authorizationGroup).Resources("subjectaccessreviews").RuleOrDie(),
442
443 rbacv1helpers.NewRule("list", "watch").Groups("*").Resources("*").RuleOrDie(),
444 rbacv1helpers.NewRule("create").Groups(legacyGroup).Resources("serviceaccounts/token").RuleOrDie(),
445 },
446 },
447 {
448
449 ObjectMeta: metav1.ObjectMeta{Name: "system:kube-dns"},
450 Rules: []rbacv1.PolicyRule{
451 rbacv1helpers.NewRule("list", "watch").Groups(legacyGroup).Resources("endpoints", "services").RuleOrDie(),
452 },
453 },
454 {
455
456 ObjectMeta: metav1.ObjectMeta{Name: "system:persistent-volume-provisioner"},
457 Rules: []rbacv1.PolicyRule{
458 rbacv1helpers.NewRule("get", "list", "watch", "create", "delete").Groups(legacyGroup).Resources("persistentvolumes").RuleOrDie(),
459
460 rbacv1helpers.NewRule("get", "list", "watch", "update").Groups(legacyGroup).Resources("persistentvolumeclaims").RuleOrDie(),
461 rbacv1helpers.NewRule(Read...).Groups(storageGroup).Resources("storageclasses").RuleOrDie(),
462
463
464 rbacv1helpers.NewRule("watch").Groups(legacyGroup).Resources("events").RuleOrDie(),
465
466 eventsRule(),
467 },
468 },
469 {
470
471 ObjectMeta: metav1.ObjectMeta{Name: "system:certificates.k8s.io:certificatesigningrequests:nodeclient"},
472 Rules: []rbacv1.PolicyRule{
473 rbacv1helpers.NewRule("create").Groups(certificatesGroup).Resources("certificatesigningrequests/nodeclient").RuleOrDie(),
474 },
475 },
476 {
477
478 ObjectMeta: metav1.ObjectMeta{Name: "system:certificates.k8s.io:certificatesigningrequests:selfnodeclient"},
479 Rules: []rbacv1.PolicyRule{
480 rbacv1helpers.NewRule("create").Groups(certificatesGroup).Resources("certificatesigningrequests/selfnodeclient").RuleOrDie(),
481 },
482 },
483 {
484 ObjectMeta: metav1.ObjectMeta{Name: "system:volume-scheduler"},
485 Rules: []rbacv1.PolicyRule{
486 rbacv1helpers.NewRule(ReadUpdate...).Groups(legacyGroup).Resources("persistentvolumes").RuleOrDie(),
487 rbacv1helpers.NewRule(Read...).Groups(storageGroup).Resources("storageclasses").RuleOrDie(),
488 rbacv1helpers.NewRule(ReadUpdate...).Groups(legacyGroup).Resources("persistentvolumeclaims").RuleOrDie(),
489 },
490 },
491 {
492 ObjectMeta: metav1.ObjectMeta{Name: "system:certificates.k8s.io:legacy-unknown-approver"},
493 Rules: []rbacv1.PolicyRule{
494 rbacv1helpers.NewRule("approve").Groups(certificatesGroup).Resources("signers").Names(capi.LegacyUnknownSignerName).RuleOrDie(),
495 },
496 },
497 {
498 ObjectMeta: metav1.ObjectMeta{Name: "system:certificates.k8s.io:kubelet-serving-approver"},
499 Rules: []rbacv1.PolicyRule{
500 rbacv1helpers.NewRule("approve").Groups(certificatesGroup).Resources("signers").Names(capi.KubeletServingSignerName).RuleOrDie(),
501 },
502 },
503 {
504 ObjectMeta: metav1.ObjectMeta{Name: "system:certificates.k8s.io:kube-apiserver-client-approver"},
505 Rules: []rbacv1.PolicyRule{
506 rbacv1helpers.NewRule("approve").Groups(certificatesGroup).Resources("signers").Names(capi.KubeAPIServerClientSignerName).RuleOrDie(),
507 },
508 },
509 {
510 ObjectMeta: metav1.ObjectMeta{Name: "system:certificates.k8s.io:kube-apiserver-client-kubelet-approver"},
511 Rules: []rbacv1.PolicyRule{
512 rbacv1helpers.NewRule("approve").Groups(certificatesGroup).Resources("signers").Names(capi.KubeAPIServerClientKubeletSignerName).RuleOrDie(),
513 },
514 },
515 }...)
516
517
518
519 roles = append(roles, rbacv1.ClusterRole{
520 ObjectMeta: metav1.ObjectMeta{Name: "system:service-account-issuer-discovery"},
521 Rules: []rbacv1.PolicyRule{
522 rbacv1helpers.NewRule("get").URLs(
523 "/.well-known/openid-configuration",
524 "/.well-known/openid-configuration/",
525 "/openid/v1/jwks",
526 "/openid/v1/jwks/",
527 ).RuleOrDie(),
528 },
529 })
530
531
532 nodeProxierRules := []rbacv1.PolicyRule{
533 rbacv1helpers.NewRule("list", "watch").Groups(legacyGroup).Resources("services", "endpoints").RuleOrDie(),
534 rbacv1helpers.NewRule("get", "list", "watch").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
535
536 eventsRule(),
537 }
538 if utilfeature.DefaultFeatureGate.Enabled(features.MultiCIDRServiceAllocator) {
539 nodeProxierRules = append(nodeProxierRules, rbacv1helpers.NewRule("list", "watch").Groups(networkingGroup).Resources("servicecidrs").RuleOrDie())
540 }
541
542 nodeProxierRules = append(nodeProxierRules, rbacv1helpers.NewRule("list", "watch").Groups(discoveryGroup).Resources("endpointslices").RuleOrDie())
543 roles = append(roles, rbacv1.ClusterRole{
544 ObjectMeta: metav1.ObjectMeta{Name: "system:node-proxier"},
545 Rules: nodeProxierRules,
546 })
547
548 kubeSchedulerRules := []rbacv1.PolicyRule{
549 eventsRule(),
550
551
552 rbacv1helpers.NewRule("create").Groups(coordinationGroup).Resources("leases").RuleOrDie(),
553 rbacv1helpers.NewRule("get", "update").Groups(coordinationGroup).Resources("leases").Names("kube-scheduler").RuleOrDie(),
554
555
556 rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("nodes").RuleOrDie(),
557 rbacv1helpers.NewRule("get", "list", "watch", "delete").Groups(legacyGroup).Resources("pods").RuleOrDie(),
558 rbacv1helpers.NewRule("create").Groups(legacyGroup).Resources("pods/binding", "bindings").RuleOrDie(),
559 rbacv1helpers.NewRule("patch", "update").Groups(legacyGroup).Resources("pods/status").RuleOrDie(),
560
561 rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("services", "replicationcontrollers").RuleOrDie(),
562 rbacv1helpers.NewRule(Read...).Groups(appsGroup, extensionsGroup).Resources("replicasets").RuleOrDie(),
563 rbacv1helpers.NewRule(Read...).Groups(appsGroup).Resources("statefulsets").RuleOrDie(),
564
565 rbacv1helpers.NewRule(Read...).Groups(policyGroup).Resources("poddisruptionbudgets").RuleOrDie(),
566 rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("persistentvolumeclaims", "persistentvolumes").RuleOrDie(),
567
568 rbacv1helpers.NewRule("create").Groups(authenticationGroup).Resources("tokenreviews").RuleOrDie(),
569 rbacv1helpers.NewRule("create").Groups(authorizationGroup).Resources("subjectaccessreviews").RuleOrDie(),
570
571 rbacv1helpers.NewRule(Read...).Groups(storageGroup).Resources("csinodes").RuleOrDie(),
572
573 rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("namespaces").RuleOrDie(),
574 rbacv1helpers.NewRule(Read...).Groups(storageGroup).Resources("csidrivers").RuleOrDie(),
575 rbacv1helpers.NewRule(Read...).Groups(storageGroup).Resources("csistoragecapacities").RuleOrDie(),
576 }
577
578 if utilfeature.DefaultFeatureGate.Enabled(features.DynamicResourceAllocation) {
579 kubeSchedulerRules = append(kubeSchedulerRules,
580 rbacv1helpers.NewRule(Read...).Groups(resourceGroup).Resources("resourceclasses").RuleOrDie(),
581 rbacv1helpers.NewRule(ReadUpdate...).Groups(resourceGroup).Resources("resourceclaims").RuleOrDie(),
582 rbacv1helpers.NewRule(ReadUpdate...).Groups(resourceGroup).Resources("resourceclaims/status").RuleOrDie(),
583 rbacv1helpers.NewRule(ReadWrite...).Groups(resourceGroup).Resources("podschedulingcontexts").RuleOrDie(),
584 rbacv1helpers.NewRule(Read...).Groups(resourceGroup).Resources("podschedulingcontexts/status").RuleOrDie(),
585 rbacv1helpers.NewRule(ReadUpdate...).Groups(legacyGroup).Resources("pods/finalizers").RuleOrDie(),
586 rbacv1helpers.NewRule(Read...).Groups(resourceGroup).Resources("resourceslices", "resourceclassparameters", "resourceclaimparameters").RuleOrDie(),
587 )
588 }
589 roles = append(roles, rbacv1.ClusterRole{
590
591 ObjectMeta: metav1.ObjectMeta{Name: "system:kube-scheduler"},
592 Rules: kubeSchedulerRules,
593 })
594
595
596 if utilfeature.DefaultFeatureGate.Enabled(features.ClusterTrustBundle) {
597 roles = append(roles, rbacv1.ClusterRole{
598 ObjectMeta: metav1.ObjectMeta{Name: "system:cluster-trust-bundle-discovery"},
599 Rules: []rbacv1.PolicyRule{
600 rbacv1helpers.NewRule(Read...).Groups(certificatesGroup).Resources("clustertrustbundles").RuleOrDie(),
601 },
602 })
603 }
604
605 addClusterRoleLabel(roles)
606 return roles
607 }
608
609 const systemNodeRoleName = "system:node"
610
611
612 func ClusterRoleBindings() []rbacv1.ClusterRoleBinding {
613 rolebindings := []rbacv1.ClusterRoleBinding{
614 rbacv1helpers.NewClusterBinding("cluster-admin").Groups(user.SystemPrivilegedGroup).BindingOrDie(),
615 rbacv1helpers.NewClusterBinding("system:monitoring").Groups(user.MonitoringGroup).BindingOrDie(),
616 rbacv1helpers.NewClusterBinding("system:discovery").Groups(user.AllAuthenticated).BindingOrDie(),
617 rbacv1helpers.NewClusterBinding("system:basic-user").Groups(user.AllAuthenticated).BindingOrDie(),
618 rbacv1helpers.NewClusterBinding("system:public-info-viewer").Groups(user.AllAuthenticated, user.AllUnauthenticated).BindingOrDie(),
619 rbacv1helpers.NewClusterBinding("system:node-proxier").Users(user.KubeProxy).BindingOrDie(),
620 rbacv1helpers.NewClusterBinding("system:kube-controller-manager").Users(user.KubeControllerManager).BindingOrDie(),
621 rbacv1helpers.NewClusterBinding("system:kube-dns").SAs("kube-system", "kube-dns").BindingOrDie(),
622 rbacv1helpers.NewClusterBinding("system:kube-scheduler").Users(user.KubeScheduler).BindingOrDie(),
623 rbacv1helpers.NewClusterBinding("system:volume-scheduler").Users(user.KubeScheduler).BindingOrDie(),
624
625
626
627 {
628 ObjectMeta: metav1.ObjectMeta{Name: systemNodeRoleName},
629 RoleRef: rbacv1.RoleRef{APIGroup: rbacv1.GroupName, Kind: "ClusterRole", Name: systemNodeRoleName},
630 },
631 }
632
633
634
635
636
637
638
639
640
641 rolebindings = append(rolebindings,
642 rbacv1helpers.NewClusterBinding("system:service-account-issuer-discovery").Groups(serviceaccount.AllServiceAccountsGroup).BindingOrDie(),
643 )
644
645
646 if utilfeature.DefaultFeatureGate.Enabled(features.ClusterTrustBundle) {
647 rolebindings = append(rolebindings, rbacv1helpers.NewClusterBinding("system:cluster-trust-bundle-discovery").Groups(serviceaccount.AllServiceAccountsGroup).BindingOrDie())
648 }
649
650 addClusterRoleBindingLabel(rolebindings)
651
652 return rolebindings
653 }
654
655
656 func ClusterRolesToAggregate() map[string]string {
657 return map[string]string{
658 "admin": "system:aggregate-to-admin",
659 "edit": "system:aggregate-to-edit",
660 "view": "system:aggregate-to-view",
661 }
662 }
663
664
665
666 func ClusterRoleBindingsToSplit() map[string]rbacv1.ClusterRoleBinding {
667 bindingsToSplit := map[string]rbacv1.ClusterRoleBinding{}
668 for _, defaultClusterRoleBinding := range ClusterRoleBindings() {
669 switch defaultClusterRoleBinding.Name {
670 case "system:public-info-viewer":
671 bindingsToSplit["system:discovery"] = defaultClusterRoleBinding
672 }
673 }
674 return bindingsToSplit
675 }
676
View as plain text