... | ... |
@@ -154,7 +154,7 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole { |
154 | 154 |
"selfsubjectrulesreviews", "subjectaccessreviews").RuleOrDie(), |
155 | 155 |
authorizationapi.NewRule("create").Groups("authentication.k8s.io").Resources("tokenreviews").RuleOrDie(), |
156 | 156 |
// Allow read access to node metrics |
157 |
- authorizationapi.NewRule("get").Groups(kapiGroup).Resources(authorizationapi.NodeMetricsResource).RuleOrDie(), |
|
157 |
+ authorizationapi.NewRule("get").Groups(kapiGroup).Resources(authorizationapi.NodeMetricsResource, authorizationapi.NodeSpecResource).RuleOrDie(), |
|
158 | 158 |
// Allow read access to stats |
159 | 159 |
// Node stats requests are submitted as POSTs. These creates are non-mutating |
160 | 160 |
authorizationapi.NewRule("get", "create").Groups(kapiGroup).Resources(authorizationapi.NodeStatsResource).RuleOrDie(), |
... | ... |
@@ -547,7 +547,7 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole { |
547 | 547 |
authorizationapi.NewRule(read...).Groups(kapiGroup).Resources("nodes").RuleOrDie(), |
548 | 548 |
// Allow all API calls to the nodes |
549 | 549 |
authorizationapi.NewRule("proxy").Groups(kapiGroup).Resources("nodes").RuleOrDie(), |
550 |
- authorizationapi.NewRule("*").Groups(kapiGroup).Resources("nodes/proxy", authorizationapi.NodeMetricsResource, authorizationapi.NodeStatsResource, authorizationapi.NodeLogResource).RuleOrDie(), |
|
550 |
+ authorizationapi.NewRule("*").Groups(kapiGroup).Resources("nodes/proxy", authorizationapi.NodeMetricsResource, authorizationapi.NodeSpecResource, authorizationapi.NodeStatsResource, authorizationapi.NodeLogResource).RuleOrDie(), |
|
551 | 551 |
}, |
552 | 552 |
}, |
553 | 553 |
{ |
... | ... |
@@ -558,7 +558,7 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole { |
558 | 558 |
// Allow read-only access to the API objects |
559 | 559 |
authorizationapi.NewRule(read...).Groups(kapiGroup).Resources("nodes").RuleOrDie(), |
560 | 560 |
// Allow read access to node metrics |
561 |
- authorizationapi.NewRule("get").Groups(kapiGroup).Resources(authorizationapi.NodeMetricsResource).RuleOrDie(), |
|
561 |
+ authorizationapi.NewRule("get").Groups(kapiGroup).Resources(authorizationapi.NodeMetricsResource, authorizationapi.NodeSpecResource).RuleOrDie(), |
|
562 | 562 |
// Allow read access to stats |
563 | 563 |
// Node stats requests are submitted as POSTs. These creates are non-mutating |
564 | 564 |
authorizationapi.NewRule("get", "create").Groups(kapiGroup).Resources(authorizationapi.NodeStatsResource).RuleOrDie(), |
... | ... |
@@ -125,6 +125,9 @@ func (n NodeAuthorizerAttributesGetter) GetRequestAttributes(u user.Info, r *htt |
125 | 125 |
// Override verb/resource for specific paths |
126 | 126 |
// Updates to these rules require updating NodeAdminRole and NodeReaderRole in bootstrap policy |
127 | 127 |
switch { |
128 |
+ case isSubpath(r, "/spec"): |
|
129 |
+ attrs.Verb = apiVerb |
|
130 |
+ attrs.Resource = authorizationapi.NodeSpecResource |
|
128 | 131 |
case isSubpath(r, "/stats"): |
129 | 132 |
attrs.Verb = apiVerb |
130 | 133 |
attrs.Resource = authorizationapi.NodeStatsResource |
... | ... |
@@ -294,6 +294,7 @@ items: |
294 | 294 |
attributeRestrictions: null |
295 | 295 |
resources: |
296 | 296 |
- nodes/metrics |
297 |
+ - nodes/spec |
|
297 | 298 |
verbs: |
298 | 299 |
- get |
299 | 300 |
- apiGroups: |
... | ... |
@@ -1801,6 +1802,7 @@ items: |
1801 | 1801 |
- nodes/log |
1802 | 1802 |
- nodes/metrics |
1803 | 1803 |
- nodes/proxy |
1804 |
+ - nodes/spec |
|
1804 | 1805 |
- nodes/stats |
1805 | 1806 |
verbs: |
1806 | 1807 |
- '*' |
... | ... |
@@ -1824,6 +1826,7 @@ items: |
1824 | 1824 |
attributeRestrictions: null |
1825 | 1825 |
resources: |
1826 | 1826 |
- nodes/metrics |
1827 |
+ - nodes/spec |
|
1827 | 1828 |
verbs: |
1828 | 1829 |
- get |
1829 | 1830 |
- apiGroups: |