controller_policy.go 22 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393
  1. /*
  2. Copyright 2016 The Kubernetes Authors.
  3. Licensed under the Apache License, Version 2.0 (the "License");
  4. you may not use this file except in compliance with the License.
  5. You may obtain a copy of the License at
  6. http://www.apache.org/licenses/LICENSE-2.0
  7. Unless required by applicable law or agreed to in writing, software
  8. distributed under the License is distributed on an "AS IS" BASIS,
  9. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  10. See the License for the specific language governing permissions and
  11. limitations under the License.
  12. */
  13. package bootstrappolicy
  14. import (
  15. "strings"
  16. "k8s.io/klog"
  17. rbacv1 "k8s.io/api/rbac/v1"
  18. metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
  19. utilfeature "k8s.io/apiserver/pkg/util/feature"
  20. rbacv1helpers "k8s.io/kubernetes/pkg/apis/rbac/v1"
  21. "k8s.io/kubernetes/pkg/features"
  22. )
  23. const saRolePrefix = "system:controller:"
  24. func addControllerRole(controllerRoles *[]rbacv1.ClusterRole, controllerRoleBindings *[]rbacv1.ClusterRoleBinding, role rbacv1.ClusterRole) {
  25. if !strings.HasPrefix(role.Name, saRolePrefix) {
  26. klog.Fatalf(`role %q must start with %q`, role.Name, saRolePrefix)
  27. }
  28. for _, existingRole := range *controllerRoles {
  29. if role.Name == existingRole.Name {
  30. klog.Fatalf("role %q was already registered", role.Name)
  31. }
  32. }
  33. *controllerRoles = append(*controllerRoles, role)
  34. addClusterRoleLabel(*controllerRoles)
  35. *controllerRoleBindings = append(*controllerRoleBindings,
  36. rbacv1helpers.NewClusterBinding(role.Name).SAs("kube-system", role.Name[len(saRolePrefix):]).BindingOrDie())
  37. addClusterRoleBindingLabel(*controllerRoleBindings)
  38. }
  39. func eventsRule() rbacv1.PolicyRule {
  40. return rbacv1helpers.NewRule("create", "update", "patch").Groups(legacyGroup, eventsGroup).Resources("events").RuleOrDie()
  41. }
  42. func buildControllerRoles() ([]rbacv1.ClusterRole, []rbacv1.ClusterRoleBinding) {
  43. // controllerRoles is a slice of roles used for controllers
  44. controllerRoles := []rbacv1.ClusterRole{}
  45. // controllerRoleBindings is a slice of roles used for controllers
  46. controllerRoleBindings := []rbacv1.ClusterRoleBinding{}
  47. addControllerRole(&controllerRoles, &controllerRoleBindings, func() rbacv1.ClusterRole {
  48. role := rbacv1.ClusterRole{
  49. ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "attachdetach-controller"},
  50. Rules: []rbacv1.PolicyRule{
  51. rbacv1helpers.NewRule("list", "watch").Groups(legacyGroup).Resources("persistentvolumes", "persistentvolumeclaims").RuleOrDie(),
  52. rbacv1helpers.NewRule("get", "list", "watch").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
  53. rbacv1helpers.NewRule("patch", "update").Groups(legacyGroup).Resources("nodes/status").RuleOrDie(),
  54. rbacv1helpers.NewRule("list", "watch").Groups(legacyGroup).Resources("pods").RuleOrDie(),
  55. eventsRule(),
  56. rbacv1helpers.NewRule("get", "create", "delete", "list", "watch").Groups(storageGroup).Resources("volumeattachments").RuleOrDie(),
  57. },
  58. }
  59. if utilfeature.DefaultFeatureGate.Enabled(features.CSIDriverRegistry) {
  60. role.Rules = append(role.Rules, rbacv1helpers.NewRule("get", "watch", "list").Groups("storage.k8s.io").Resources("csidrivers").RuleOrDie())
  61. }
  62. if utilfeature.DefaultFeatureGate.Enabled(features.CSINodeInfo) && utilfeature.DefaultFeatureGate.Enabled(features.CSIMigration) {
  63. role.Rules = append(role.Rules, rbacv1helpers.NewRule("get", "watch", "list").Groups("storage.k8s.io").Resources("csinodes").RuleOrDie())
  64. }
  65. return role
  66. }())
  67. addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
  68. ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "clusterrole-aggregation-controller"},
  69. Rules: []rbacv1.PolicyRule{
  70. // this controller must have full permissions on clusterroles to allow it to mutate them in any way
  71. rbacv1helpers.NewRule("escalate", "get", "list", "watch", "update", "patch").Groups(rbacGroup).Resources("clusterroles").RuleOrDie(),
  72. },
  73. })
  74. addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
  75. ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "cronjob-controller"},
  76. Rules: []rbacv1.PolicyRule{
  77. rbacv1helpers.NewRule("get", "list", "watch", "update").Groups(batchGroup).Resources("cronjobs").RuleOrDie(),
  78. rbacv1helpers.NewRule("get", "list", "watch", "create", "update", "delete", "patch").Groups(batchGroup).Resources("jobs").RuleOrDie(),
  79. rbacv1helpers.NewRule("update").Groups(batchGroup).Resources("cronjobs/status").RuleOrDie(),
  80. rbacv1helpers.NewRule("update").Groups(batchGroup).Resources("cronjobs/finalizers").RuleOrDie(),
  81. rbacv1helpers.NewRule("list", "delete").Groups(legacyGroup).Resources("pods").RuleOrDie(),
  82. eventsRule(),
  83. },
  84. })
  85. addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
  86. ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "daemon-set-controller"},
  87. Rules: []rbacv1.PolicyRule{
  88. rbacv1helpers.NewRule("get", "list", "watch").Groups(extensionsGroup, appsGroup).Resources("daemonsets").RuleOrDie(),
  89. rbacv1helpers.NewRule("update").Groups(extensionsGroup, appsGroup).Resources("daemonsets/status").RuleOrDie(),
  90. rbacv1helpers.NewRule("update").Groups(extensionsGroup, appsGroup).Resources("daemonsets/finalizers").RuleOrDie(),
  91. rbacv1helpers.NewRule("list", "watch").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
  92. rbacv1helpers.NewRule("list", "watch", "create", "delete", "patch").Groups(legacyGroup).Resources("pods").RuleOrDie(),
  93. rbacv1helpers.NewRule("create").Groups(legacyGroup).Resources("pods/binding").RuleOrDie(),
  94. rbacv1helpers.NewRule("get", "list", "watch", "create", "delete", "update", "patch").Groups(appsGroup).Resources("controllerrevisions").RuleOrDie(),
  95. eventsRule(),
  96. },
  97. })
  98. addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
  99. ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "deployment-controller"},
  100. Rules: []rbacv1.PolicyRule{
  101. rbacv1helpers.NewRule("get", "list", "watch", "update").Groups(extensionsGroup, appsGroup).Resources("deployments").RuleOrDie(),
  102. rbacv1helpers.NewRule("update").Groups(extensionsGroup, appsGroup).Resources("deployments/status").RuleOrDie(),
  103. rbacv1helpers.NewRule("update").Groups(extensionsGroup, appsGroup).Resources("deployments/finalizers").RuleOrDie(),
  104. rbacv1helpers.NewRule("get", "list", "watch", "create", "update", "patch", "delete").Groups(appsGroup, extensionsGroup).Resources("replicasets").RuleOrDie(),
  105. // TODO: remove "update" once
  106. // https://github.com/kubernetes/kubernetes/issues/36897 is resolved.
  107. rbacv1helpers.NewRule("get", "list", "watch", "update").Groups(legacyGroup).Resources("pods").RuleOrDie(),
  108. eventsRule(),
  109. },
  110. })
  111. addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
  112. ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "disruption-controller"},
  113. Rules: []rbacv1.PolicyRule{
  114. rbacv1helpers.NewRule("get", "list", "watch").Groups(extensionsGroup, appsGroup).Resources("deployments").RuleOrDie(),
  115. rbacv1helpers.NewRule("get", "list", "watch").Groups(appsGroup, extensionsGroup).Resources("replicasets").RuleOrDie(),
  116. rbacv1helpers.NewRule("get", "list", "watch").Groups(legacyGroup).Resources("replicationcontrollers").RuleOrDie(),
  117. rbacv1helpers.NewRule("get", "list", "watch").Groups(policyGroup).Resources("poddisruptionbudgets").RuleOrDie(),
  118. rbacv1helpers.NewRule("get", "list", "watch").Groups(appsGroup).Resources("statefulsets").RuleOrDie(),
  119. rbacv1helpers.NewRule("update").Groups(policyGroup).Resources("poddisruptionbudgets/status").RuleOrDie(),
  120. rbacv1helpers.NewRule("get").Groups("*").Resources("*/scale").RuleOrDie(),
  121. eventsRule(),
  122. },
  123. })
  124. addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
  125. ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "endpoint-controller"},
  126. Rules: []rbacv1.PolicyRule{
  127. rbacv1helpers.NewRule("get", "list", "watch").Groups(legacyGroup).Resources("services", "pods").RuleOrDie(),
  128. rbacv1helpers.NewRule("get", "list", "create", "update", "delete").Groups(legacyGroup).Resources("endpoints").RuleOrDie(),
  129. rbacv1helpers.NewRule("create").Groups(legacyGroup).Resources("endpoints/restricted").RuleOrDie(),
  130. eventsRule(),
  131. },
  132. })
  133. if utilfeature.DefaultFeatureGate.Enabled(features.EndpointSlice) {
  134. addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
  135. ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "endpointslice-controller"},
  136. Rules: []rbacv1.PolicyRule{
  137. rbacv1helpers.NewRule("get", "list", "watch").Groups(legacyGroup).Resources("services", "pods", "nodes").RuleOrDie(),
  138. rbacv1helpers.NewRule("get", "list", "create", "update", "delete").Groups(discoveryGroup).Resources("endpointslices").RuleOrDie(),
  139. eventsRule(),
  140. },
  141. })
  142. }
  143. if utilfeature.DefaultFeatureGate.Enabled(features.ExpandPersistentVolumes) {
  144. addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
  145. ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "expand-controller"},
  146. Rules: []rbacv1.PolicyRule{
  147. rbacv1helpers.NewRule("get", "list", "watch", "update", "patch").Groups(legacyGroup).Resources("persistentvolumes").RuleOrDie(),
  148. rbacv1helpers.NewRule("update", "patch").Groups(legacyGroup).Resources("persistentvolumeclaims/status").RuleOrDie(),
  149. rbacv1helpers.NewRule("get", "list", "watch").Groups(legacyGroup).Resources("persistentvolumeclaims").RuleOrDie(),
  150. // glusterfs
  151. rbacv1helpers.NewRule("get", "list", "watch").Groups(storageGroup).Resources("storageclasses").RuleOrDie(),
  152. rbacv1helpers.NewRule("get").Groups(legacyGroup).Resources("services", "endpoints").RuleOrDie(),
  153. rbacv1helpers.NewRule("get").Groups(legacyGroup).Resources("secrets").RuleOrDie(),
  154. eventsRule(),
  155. },
  156. })
  157. }
  158. addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
  159. ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "generic-garbage-collector"},
  160. Rules: []rbacv1.PolicyRule{
  161. // the GC controller needs to run list/watches, selective gets, and updates against any resource
  162. rbacv1helpers.NewRule("get", "list", "watch", "patch", "update", "delete").Groups("*").Resources("*").RuleOrDie(),
  163. eventsRule(),
  164. },
  165. })
  166. addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
  167. ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "horizontal-pod-autoscaler"},
  168. Rules: []rbacv1.PolicyRule{
  169. rbacv1helpers.NewRule("get", "list", "watch").Groups(autoscalingGroup).Resources("horizontalpodautoscalers").RuleOrDie(),
  170. rbacv1helpers.NewRule("update").Groups(autoscalingGroup).Resources("horizontalpodautoscalers/status").RuleOrDie(),
  171. rbacv1helpers.NewRule("get", "update").Groups("*").Resources("*/scale").RuleOrDie(),
  172. rbacv1helpers.NewRule("list").Groups(legacyGroup).Resources("pods").RuleOrDie(),
  173. // TODO: restrict this to the appropriate namespace
  174. rbacv1helpers.NewRule("get").Groups(legacyGroup).Resources("services/proxy").Names("https:heapster:", "http:heapster:").RuleOrDie(),
  175. // allow listing resource metrics and custom metrics
  176. rbacv1helpers.NewRule("list").Groups(resMetricsGroup).Resources("pods").RuleOrDie(),
  177. rbacv1helpers.NewRule("get", "list").Groups(customMetricsGroup).Resources("*").RuleOrDie(),
  178. eventsRule(),
  179. },
  180. })
  181. addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
  182. ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "job-controller"},
  183. Rules: []rbacv1.PolicyRule{
  184. rbacv1helpers.NewRule("get", "list", "watch", "update").Groups(batchGroup).Resources("jobs").RuleOrDie(),
  185. rbacv1helpers.NewRule("update").Groups(batchGroup).Resources("jobs/status").RuleOrDie(),
  186. rbacv1helpers.NewRule("update").Groups(batchGroup).Resources("jobs/finalizers").RuleOrDie(),
  187. rbacv1helpers.NewRule("list", "watch", "create", "delete", "patch").Groups(legacyGroup).Resources("pods").RuleOrDie(),
  188. eventsRule(),
  189. },
  190. })
  191. addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
  192. ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "namespace-controller"},
  193. Rules: []rbacv1.PolicyRule{
  194. rbacv1helpers.NewRule("get", "list", "watch", "delete").Groups(legacyGroup).Resources("namespaces").RuleOrDie(),
  195. rbacv1helpers.NewRule("update").Groups(legacyGroup).Resources("namespaces/finalize", "namespaces/status").RuleOrDie(),
  196. rbacv1helpers.NewRule("get", "list", "delete", "deletecollection").Groups("*").Resources("*").RuleOrDie(),
  197. },
  198. })
  199. addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
  200. ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "node-controller"},
  201. Rules: []rbacv1.PolicyRule{
  202. rbacv1helpers.NewRule("get", "list", "update", "delete", "patch").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
  203. rbacv1helpers.NewRule("patch", "update").Groups(legacyGroup).Resources("nodes/status").RuleOrDie(),
  204. // used for pod eviction
  205. rbacv1helpers.NewRule("update").Groups(legacyGroup).Resources("pods/status").RuleOrDie(),
  206. rbacv1helpers.NewRule("list", "delete").Groups(legacyGroup).Resources("pods").RuleOrDie(),
  207. eventsRule(),
  208. },
  209. })
  210. addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
  211. ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "persistent-volume-binder"},
  212. Rules: []rbacv1.PolicyRule{
  213. rbacv1helpers.NewRule("get", "list", "watch", "update", "create", "delete").Groups(legacyGroup).Resources("persistentvolumes").RuleOrDie(),
  214. rbacv1helpers.NewRule("update").Groups(legacyGroup).Resources("persistentvolumes/status").RuleOrDie(),
  215. rbacv1helpers.NewRule("get", "list", "watch", "update").Groups(legacyGroup).Resources("persistentvolumeclaims").RuleOrDie(),
  216. rbacv1helpers.NewRule("update").Groups(legacyGroup).Resources("persistentvolumeclaims/status").RuleOrDie(),
  217. rbacv1helpers.NewRule("list", "watch", "get", "create", "delete").Groups(legacyGroup).Resources("pods").RuleOrDie(),
  218. // glusterfs
  219. rbacv1helpers.NewRule("get", "list", "watch").Groups(storageGroup).Resources("storageclasses").RuleOrDie(),
  220. rbacv1helpers.NewRule("get", "create", "update", "delete").Groups(legacyGroup).Resources("endpoints").RuleOrDie(),
  221. rbacv1helpers.NewRule("get", "create", "delete").Groups(legacyGroup).Resources("services").RuleOrDie(),
  222. rbacv1helpers.NewRule("get").Groups(legacyGroup).Resources("secrets").RuleOrDie(),
  223. // openstack
  224. rbacv1helpers.NewRule("get", "list").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
  225. // recyclerClient.WatchPod
  226. rbacv1helpers.NewRule("watch").Groups(legacyGroup).Resources("events").RuleOrDie(),
  227. eventsRule(),
  228. },
  229. })
  230. addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
  231. ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "pod-garbage-collector"},
  232. Rules: []rbacv1.PolicyRule{
  233. rbacv1helpers.NewRule("list", "watch", "delete").Groups(legacyGroup).Resources("pods").RuleOrDie(),
  234. rbacv1helpers.NewRule("get", "list").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
  235. },
  236. })
  237. addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
  238. ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "replicaset-controller"},
  239. Rules: []rbacv1.PolicyRule{
  240. rbacv1helpers.NewRule("get", "list", "watch", "update").Groups(appsGroup, extensionsGroup).Resources("replicasets").RuleOrDie(),
  241. rbacv1helpers.NewRule("update").Groups(appsGroup, extensionsGroup).Resources("replicasets/status").RuleOrDie(),
  242. rbacv1helpers.NewRule("update").Groups(appsGroup, extensionsGroup).Resources("replicasets/finalizers").RuleOrDie(),
  243. rbacv1helpers.NewRule("list", "watch", "patch", "create", "delete").Groups(legacyGroup).Resources("pods").RuleOrDie(),
  244. eventsRule(),
  245. },
  246. })
  247. addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
  248. ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "replication-controller"},
  249. Rules: []rbacv1.PolicyRule{
  250. // 1.0 controllers needed get, update, so without these old controllers break on new servers
  251. rbacv1helpers.NewRule("get", "list", "watch", "update").Groups(legacyGroup).Resources("replicationcontrollers").RuleOrDie(),
  252. rbacv1helpers.NewRule("update").Groups(legacyGroup).Resources("replicationcontrollers/status").RuleOrDie(),
  253. rbacv1helpers.NewRule("update").Groups(legacyGroup).Resources("replicationcontrollers/finalizers").RuleOrDie(),
  254. rbacv1helpers.NewRule("list", "watch", "patch", "create", "delete").Groups(legacyGroup).Resources("pods").RuleOrDie(),
  255. eventsRule(),
  256. },
  257. })
  258. addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
  259. ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "resourcequota-controller"},
  260. Rules: []rbacv1.PolicyRule{
  261. // quota can count quota on anything for reconciliation, so it needs full viewing powers
  262. rbacv1helpers.NewRule("list", "watch").Groups("*").Resources("*").RuleOrDie(),
  263. rbacv1helpers.NewRule("update").Groups(legacyGroup).Resources("resourcequotas/status").RuleOrDie(),
  264. eventsRule(),
  265. },
  266. })
  267. addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
  268. ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "route-controller"},
  269. Rules: []rbacv1.PolicyRule{
  270. rbacv1helpers.NewRule("list", "watch").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
  271. rbacv1helpers.NewRule("patch").Groups(legacyGroup).Resources("nodes/status").RuleOrDie(),
  272. eventsRule(),
  273. },
  274. })
  275. addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
  276. ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "service-account-controller"},
  277. Rules: []rbacv1.PolicyRule{
  278. rbacv1helpers.NewRule("create").Groups(legacyGroup).Resources("serviceaccounts").RuleOrDie(),
  279. eventsRule(),
  280. },
  281. })
  282. addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
  283. ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "service-controller"},
  284. Rules: []rbacv1.PolicyRule{
  285. rbacv1helpers.NewRule("get", "list", "watch").Groups(legacyGroup).Resources("services").RuleOrDie(),
  286. rbacv1helpers.NewRule("patch", "update").Groups(legacyGroup).Resources("services/status").RuleOrDie(),
  287. rbacv1helpers.NewRule("list", "watch").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
  288. eventsRule(),
  289. },
  290. })
  291. addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
  292. ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "statefulset-controller"},
  293. Rules: []rbacv1.PolicyRule{
  294. rbacv1helpers.NewRule("list", "watch").Groups(legacyGroup).Resources("pods").RuleOrDie(),
  295. rbacv1helpers.NewRule("get", "list", "watch").Groups(appsGroup).Resources("statefulsets").RuleOrDie(),
  296. rbacv1helpers.NewRule("update").Groups(appsGroup).Resources("statefulsets/status").RuleOrDie(),
  297. rbacv1helpers.NewRule("update").Groups(appsGroup).Resources("statefulsets/finalizers").RuleOrDie(),
  298. rbacv1helpers.NewRule("get", "create", "delete", "update", "patch").Groups(legacyGroup).Resources("pods").RuleOrDie(),
  299. rbacv1helpers.NewRule("get", "create", "delete", "update", "patch", "list", "watch").Groups(appsGroup).Resources("controllerrevisions").RuleOrDie(),
  300. rbacv1helpers.NewRule("get", "create").Groups(legacyGroup).Resources("persistentvolumeclaims").RuleOrDie(),
  301. eventsRule(),
  302. },
  303. })
  304. addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
  305. ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "ttl-controller"},
  306. Rules: []rbacv1.PolicyRule{
  307. rbacv1helpers.NewRule("update", "patch", "list", "watch").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
  308. eventsRule(),
  309. },
  310. })
  311. addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
  312. ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "certificate-controller"},
  313. Rules: []rbacv1.PolicyRule{
  314. rbacv1helpers.NewRule("get", "list", "watch", "delete").Groups(certificatesGroup).Resources("certificatesigningrequests").RuleOrDie(),
  315. rbacv1helpers.NewRule("update").Groups(certificatesGroup).Resources("certificatesigningrequests/status", "certificatesigningrequests/approval").RuleOrDie(),
  316. rbacv1helpers.NewRule("create").Groups(authorizationGroup).Resources("subjectaccessreviews").RuleOrDie(),
  317. eventsRule(),
  318. },
  319. })
  320. addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
  321. ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "pvc-protection-controller"},
  322. Rules: []rbacv1.PolicyRule{
  323. rbacv1helpers.NewRule("get", "list", "watch", "update").Groups(legacyGroup).Resources("persistentvolumeclaims").RuleOrDie(),
  324. rbacv1helpers.NewRule("list", "watch", "get").Groups(legacyGroup).Resources("pods").RuleOrDie(),
  325. eventsRule(),
  326. },
  327. })
  328. addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
  329. ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "pv-protection-controller"},
  330. Rules: []rbacv1.PolicyRule{
  331. rbacv1helpers.NewRule("get", "list", "watch", "update").Groups(legacyGroup).Resources("persistentvolumes").RuleOrDie(),
  332. eventsRule(),
  333. },
  334. })
  335. if utilfeature.DefaultFeatureGate.Enabled(features.TTLAfterFinished) {
  336. addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
  337. ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "ttl-after-finished-controller"},
  338. Rules: []rbacv1.PolicyRule{
  339. rbacv1helpers.NewRule("get", "list", "watch", "delete").Groups(batchGroup).Resources("jobs").RuleOrDie(),
  340. eventsRule(),
  341. },
  342. })
  343. }
  344. if utilfeature.DefaultFeatureGate.Enabled(features.BoundServiceAccountTokenVolume) {
  345. addControllerRole(&controllerRoles, &controllerRoleBindings, rbacv1.ClusterRole{
  346. ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "root-ca-cert-publisher"},
  347. Rules: []rbacv1.PolicyRule{
  348. rbacv1helpers.NewRule("create", "update").Groups(legacyGroup).Resources("configmaps").RuleOrDie(),
  349. eventsRule(),
  350. },
  351. })
  352. }
  353. return controllerRoles, controllerRoleBindings
  354. }
  355. // ControllerRoles returns the cluster roles used by controllers
  356. func ControllerRoles() []rbacv1.ClusterRole {
  357. controllerRoles, _ := buildControllerRoles()
  358. return controllerRoles
  359. }
  360. // ControllerRoleBindings returns the role bindings used by controllers
  361. func ControllerRoleBindings() []rbacv1.ClusterRoleBinding {
  362. _, controllerRoleBindings := buildControllerRoles()
  363. return controllerRoleBindings
  364. }