Unverified Commit 1a54fd43 authored by k8s-ci-robot's avatar k8s-ci-robot Committed by GitHub

Merge pull request #71021 from liggitt/node-self-deletion

Remove self-deletion permissions from kubelets
parents 6fc60428 8d7cc390
...@@ -107,7 +107,7 @@ func NodeRules() []rbacv1.PolicyRule { ...@@ -107,7 +107,7 @@ func NodeRules() []rbacv1.PolicyRule {
// Use the NodeRestriction admission plugin to limit a node to creating/updating its own API object. // Use the NodeRestriction admission plugin to limit a node to creating/updating its own API object.
rbacv1helpers.NewRule("create", "get", "list", "watch").Groups(legacyGroup).Resources("nodes").RuleOrDie(), rbacv1helpers.NewRule("create", "get", "list", "watch").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
rbacv1helpers.NewRule("update", "patch").Groups(legacyGroup).Resources("nodes/status").RuleOrDie(), rbacv1helpers.NewRule("update", "patch").Groups(legacyGroup).Resources("nodes/status").RuleOrDie(),
rbacv1helpers.NewRule("update", "patch", "delete").Groups(legacyGroup).Resources("nodes").RuleOrDie(), rbacv1helpers.NewRule("update", "patch").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
// TODO: restrict to the bound node as creator in the NodeRestrictions admission plugin // TODO: restrict to the bound node as creator in the NodeRestrictions admission plugin
rbacv1helpers.NewRule("create", "update", "patch").Groups(legacyGroup).Resources("events").RuleOrDie(), rbacv1helpers.NewRule("create", "update", "patch").Groups(legacyGroup).Resources("events").RuleOrDie(),
......
...@@ -882,7 +882,6 @@ items: ...@@ -882,7 +882,6 @@ items:
resources: resources:
- nodes - nodes
verbs: verbs:
- delete
- patch - patch
- update - update
- apiGroups: - apiGroups:
......
...@@ -530,7 +530,10 @@ func TestNodeAuthorizer(t *testing.T) { ...@@ -530,7 +530,10 @@ func TestNodeAuthorizer(t *testing.T) {
expectAllowed(t, createNode2MirrorPodEviction(node2Client)) expectAllowed(t, createNode2MirrorPodEviction(node2Client))
expectAllowed(t, createNode2(node2Client)) expectAllowed(t, createNode2(node2Client))
expectAllowed(t, updateNode2Status(node2Client)) expectAllowed(t, updateNode2Status(node2Client))
expectAllowed(t, deleteNode2(node2Client)) // self deletion is not allowed
expectForbidden(t, deleteNode2(node2Client))
// clean up node2
expectAllowed(t, deleteNode2(superuserClient))
// create a pod as an admin to add object references // create a pod as an admin to add object references
expectAllowed(t, createNode2NormalPod(superuserClient)) expectAllowed(t, createNode2NormalPod(superuserClient))
...@@ -621,7 +624,7 @@ func TestNodeAuthorizer(t *testing.T) { ...@@ -621,7 +624,7 @@ func TestNodeAuthorizer(t *testing.T) {
// node2 can no longer get the configmap after it is unassigned as its config source // node2 can no longer get the configmap after it is unassigned as its config source
expectForbidden(t, getConfigMapConfigSource(node2Client)) expectForbidden(t, getConfigMapConfigSource(node2Client))
// clean up node2 // clean up node2
expectAllowed(t, deleteNode2(node2Client)) expectAllowed(t, deleteNode2(superuserClient))
//TODO(mikedanese): integration test node restriction of TokenRequest //TODO(mikedanese): integration test node restriction of TokenRequest
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment