From 8cbbbac27d427668a655fd704c6db17904520e42 Mon Sep 17 00:00:00 2001 From: Solly Ross Date: Fri, 15 Sep 2017 15:16:01 -0400 Subject: [PATCH] Add bootstrap policy for HPA metrics REST clients Since we weren't running the HPA with metrics REST clients by default, we had no bootstrap policy enabling the HPA controller to talk to the metrics APIs. This adds permissions for the HPA controller to talk list pods.metrics.k8s.io, and list any resource in custom.metrics.k8s.io. --- .../rbac/bootstrappolicy/controller_policy.go | 3 +++ .../rbac/bootstrappolicy/controller_policy_test.go | 6 ++++-- .../auth/authorizer/rbac/bootstrappolicy/policy.go | 2 ++ .../bootstrappolicy/testdata/controller-roles.yaml | 12 ++++++++++++ 4 files changed, 21 insertions(+), 2 deletions(-) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go index b00ca2c7eb33d..f81abc720c2bc 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go @@ -163,6 +163,9 @@ func buildControllerRoles() ([]rbac.ClusterRole, []rbac.ClusterRoleBinding) { rbac.NewRule("list").Groups(legacyGroup).Resources("pods").RuleOrDie(), // TODO: restrict this to the appropriate namespace rbac.NewRule("get").Groups(legacyGroup).Resources("services/proxy").Names("https:heapster:", "http:heapster:").RuleOrDie(), + // allow listing resource metrics and custom metrics + rbac.NewRule("list").Groups(resMetricsGroup).Resources("pods").RuleOrDie(), + rbac.NewRule("list").Groups(customMetricsGroup).Resources("*").RuleOrDie(), eventsRule(), }, }) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy_test.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy_test.go index 8c36915f21647..e1c98019bcf50 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy_test.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy_test.go @@ -31,11 +31,13 @@ var rolesWithAllowStar = sets.NewString( saRolePrefix+"namespace-controller", saRolePrefix+"generic-garbage-collector", saRolePrefix+"resourcequota-controller", + saRolePrefix+"horizontal-pod-autoscaler", ) // TestNoStarsForControllers confirms that no controller role has star verbs, groups, -// or resources. There are two known exceptions, namespace lifecycle and GC which have to -// delete anything +// or resources. There are three known exceptions: namespace lifecycle and GC which have to +// delete anything, and HPA, which has the power to read metrics associated +// with any object. func TestNoStarsForControllers(t *testing.T) { for _, role := range ControllerRoles() { if rolesWithAllowStar.Has(role.Name) { diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go index 04e6544106869..5510701bf17ff 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go @@ -46,6 +46,8 @@ const ( policyGroup = "policy" rbacGroup = "rbac.authorization.k8s.io" storageGroup = "storage.k8s.io" + resMetricsGroup = "metrics.k8s.io" + customMetricsGroup = "custom.metrics.k8s.io" ) func addDefaultMetadata(obj runtime.Object) { diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml index b90d55e497f62..bc24fa3cf25f8 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml @@ -482,6 +482,18 @@ items: - services/proxy verbs: - get + - apiGroups: + - metrics.k8s.io + resources: + - pods + verbs: + - list + - apiGroups: + - custom.metrics.k8s.io + resources: + - '*' + verbs: + - list - apiGroups: - "" resources: