Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
1a54fd43
Unverified
Commit
1a54fd43
authored
Nov 16, 2018
by
k8s-ci-robot
Committed by
GitHub
Nov 16, 2018
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #71021 from liggitt/node-self-deletion
Remove self-deletion permissions from kubelets
parents
6fc60428
8d7cc390
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
6 additions
and
4 deletions
+6
-4
policy.go
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
+1
-1
cluster-roles.yaml
...thorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
+0
-1
node_test.go
test/integration/auth/node_test.go
+5
-2
No files found.
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
View file @
1a54fd43
...
@@ -107,7 +107,7 @@ func NodeRules() []rbacv1.PolicyRule {
...
@@ -107,7 +107,7 @@ func NodeRules() []rbacv1.PolicyRule {
// Use the NodeRestriction admission plugin to limit a node to creating/updating its own API object.
// Use the NodeRestriction admission plugin to limit a node to creating/updating its own API object.
rbacv1helpers
.
NewRule
(
"create"
,
"get"
,
"list"
,
"watch"
)
.
Groups
(
legacyGroup
)
.
Resources
(
"nodes"
)
.
RuleOrDie
(),
rbacv1helpers
.
NewRule
(
"create"
,
"get"
,
"list"
,
"watch"
)
.
Groups
(
legacyGroup
)
.
Resources
(
"nodes"
)
.
RuleOrDie
(),
rbacv1helpers
.
NewRule
(
"update"
,
"patch"
)
.
Groups
(
legacyGroup
)
.
Resources
(
"nodes/status"
)
.
RuleOrDie
(),
rbacv1helpers
.
NewRule
(
"update"
,
"patch"
)
.
Groups
(
legacyGroup
)
.
Resources
(
"nodes/status"
)
.
RuleOrDie
(),
rbacv1helpers
.
NewRule
(
"update"
,
"patch"
,
"delete"
)
.
Groups
(
legacyGroup
)
.
Resources
(
"nodes"
)
.
RuleOrDie
(),
rbacv1helpers
.
NewRule
(
"update"
,
"patch"
)
.
Groups
(
legacyGroup
)
.
Resources
(
"nodes"
)
.
RuleOrDie
(),
// TODO: restrict to the bound node as creator in the NodeRestrictions admission plugin
// TODO: restrict to the bound node as creator in the NodeRestrictions admission plugin
rbacv1helpers
.
NewRule
(
"create"
,
"update"
,
"patch"
)
.
Groups
(
legacyGroup
)
.
Resources
(
"events"
)
.
RuleOrDie
(),
rbacv1helpers
.
NewRule
(
"create"
,
"update"
,
"patch"
)
.
Groups
(
legacyGroup
)
.
Resources
(
"events"
)
.
RuleOrDie
(),
...
...
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
View file @
1a54fd43
...
@@ -882,7 +882,6 @@ items:
...
@@ -882,7 +882,6 @@ items:
resources
:
resources
:
-
nodes
-
nodes
verbs
:
verbs
:
-
delete
-
patch
-
patch
-
update
-
update
-
apiGroups
:
-
apiGroups
:
...
...
test/integration/auth/node_test.go
View file @
1a54fd43
...
@@ -530,7 +530,10 @@ func TestNodeAuthorizer(t *testing.T) {
...
@@ -530,7 +530,10 @@ func TestNodeAuthorizer(t *testing.T) {
expectAllowed
(
t
,
createNode2MirrorPodEviction
(
node2Client
))
expectAllowed
(
t
,
createNode2MirrorPodEviction
(
node2Client
))
expectAllowed
(
t
,
createNode2
(
node2Client
))
expectAllowed
(
t
,
createNode2
(
node2Client
))
expectAllowed
(
t
,
updateNode2Status
(
node2Client
))
expectAllowed
(
t
,
updateNode2Status
(
node2Client
))
expectAllowed
(
t
,
deleteNode2
(
node2Client
))
// self deletion is not allowed
expectForbidden
(
t
,
deleteNode2
(
node2Client
))
// clean up node2
expectAllowed
(
t
,
deleteNode2
(
superuserClient
))
// create a pod as an admin to add object references
// create a pod as an admin to add object references
expectAllowed
(
t
,
createNode2NormalPod
(
superuserClient
))
expectAllowed
(
t
,
createNode2NormalPod
(
superuserClient
))
...
@@ -621,7 +624,7 @@ func TestNodeAuthorizer(t *testing.T) {
...
@@ -621,7 +624,7 @@ func TestNodeAuthorizer(t *testing.T) {
// node2 can no longer get the configmap after it is unassigned as its config source
// node2 can no longer get the configmap after it is unassigned as its config source
expectForbidden
(
t
,
getConfigMapConfigSource
(
node2Client
))
expectForbidden
(
t
,
getConfigMapConfigSource
(
node2Client
))
// clean up node2
// clean up node2
expectAllowed
(
t
,
deleteNode2
(
node2
Client
))
expectAllowed
(
t
,
deleteNode2
(
superuser
Client
))
//TODO(mikedanese): integration test node restriction of TokenRequest
//TODO(mikedanese): integration test node restriction of TokenRequest
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment