GitList

Browse code

Fix group name in EgressNetworkPolicy-related rules

We were adding rules for EgressNetworkPolicy in kapiGroup rather than
sdnGroup. This didn't actually break anything because all of the
groups are currently "", but we should do it right anyway...

Dan Winship authored on 2016/12/16 04:10:19
Showing 2 changed files

pkg/cmd/server/bootstrappolicy/policy.go index fa597ed..e2f0b10 100644
test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml index 3aae140..ad4b565 100644

pkg/cmd/server/bootstrappolicy/policy.go

History View file @ 022e42e

@@ -113,7 +113,7 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole {
                      				Name: ClusterReaderRoleName,
                      			},
                      			Rules: []authorizationapi.PolicyRule{
                     -				authorizationapi.NewRule(read...).Groups(kapiGroup).Resources("bindings", "componentstatuses", "configmaps", "egressnetworkpolicies", "endpoints", "events", "limitranges",
                     +				authorizationapi.NewRule(read...).Groups(kapiGroup).Resources("bindings", "componentstatuses", "configmaps", "endpoints", "events", "limitranges",
                      					"namespaces", "namespaces/status", "nodes", "nodes/status", "persistentvolumeclaims", "persistentvolumeclaims/status", "persistentvolumes",
                      					"persistentvolumes/status", "pods", "pods/binding", "pods/eviction", "pods/log", "pods/status", "podtemplates", "replicationcontrollers", "replicationcontrollers/scale",
                      					"replicationcontrollers/status", "resourcequotas", "resourcequotas/status", "securitycontextconstraints", "serviceaccounts", "services",
@@ -157,7 +157,7 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole {
                      				authorizationapi.NewRule(read...).Groups(routeGroup).Resources("routes", "routes/status").RuleOrDie(),
                     -				authorizationapi.NewRule(read...).Groups(sdnGroup).Resources("clusternetworks", "hostsubnets", "netnamespaces").RuleOrDie(),
                     +				authorizationapi.NewRule(read...).Groups(sdnGroup).Resources("clusternetworks", "egressnetworkpolicies", "hostsubnets", "netnamespaces").RuleOrDie(),
                      				authorizationapi.NewRule(read...).Groups(templateGroup).Resources("templates", "templateconfigs", "processedtemplates").RuleOrDie(),
@@ -644,10 +644,8 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole {
                      				Name: SDNReaderRoleName,
                      			},
                      			Rules: []authorizationapi.PolicyRule{
                     -				authorizationapi.NewRule(read...).Groups(sdnGroup).Resources("hostsubnets", "netnamespaces").RuleOrDie(),
                     +				authorizationapi.NewRule(read...).Groups(sdnGroup).Resources("egressnetworkpolicies", "hostsubnets", "netnamespaces").RuleOrDie(),
                      				authorizationapi.NewRule(read...).Groups(kapiGroup).Resources("nodes", "namespaces").RuleOrDie(),
                     -				authorizationapi.NewRule(read...).Groups(kapiGroup).Resources("egressnetworkpolicies").RuleOrDie(),
+                    -
                      				authorizationapi.NewRule("get").Groups(sdnGroup).Resources("clusternetworks").RuleOrDie(),
                      			},
                      		},

test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml

History View file @ 022e42e

@@ -48,7 +48,6 @@ items:
                          - bindings
                          - componentstatuses
                          - configmaps
                     -    - egressnetworkpolicies
                          - endpoints
                          - events
                          - limitranges
@@ -277,6 +276,7 @@ items:
                          attributeRestrictions: null
                          resources:
                          - clusternetworks
                     +    - egressnetworkpolicies
                          - hostsubnets
                          - netnamespaces
                          verbs:
@@ -2088,6 +2088,7 @@ items:
                          - ""
                          attributeRestrictions: null
                          resources:
                     +    - egressnetworkpolicies
                          - hostsubnets
                          - netnamespaces
                          verbs:
@@ -2108,15 +2109,6 @@ items:
                          - ""
                          attributeRestrictions: null
                          resources:
                     -    - egressnetworkpolicies
                     -    verbs:
                     -    - get
                     -    - list
                     -    - watch
                     -  - apiGroups:
                     -    - ""
                     -    attributeRestrictions: null
                     -    resources:
                          - clusternetworks
                          verbs:
                          - get