kubelet: grant permission for DeleteCollection also with RBAC

If the node authorizer is active, RBAC rules are not needed. But if it's disabled, kubelet needs to get permission through RBAC. In contrast to the authorizer code which is a bit more flexible and isn't directly tied to the current kubelet implementation (i.e. it allows list+delete instead of just deletecollection), the RBAC entry is just for what the current kubelet does because it's a bit easier to change.
pohly · Jul 18, 2024 · a6ce250 · a6ce250
1 parent ab32ad5
commit a6ce250
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
@@ -181,6 +181,7 @@ func NodeRules() []rbacv1.PolicyRule {
 	// DRA Resource Claims
 	if utilfeature.DefaultFeatureGate.Enabled(features.DynamicResourceAllocation) {
 		nodePolicyRules = append(nodePolicyRules, rbacv1helpers.NewRule("get").Groups(resourceGroup).Resources("resourceclaims").RuleOrDie())
+		nodePolicyRules = append(nodePolicyRules, rbacv1helpers.NewRule("deletecollection").Groups(resourceGroup).Resources("resourceslices").RuleOrDie())
 	}
 	// Kubelet needs access to ClusterTrustBundles to support the pemTrustAnchors volume type.
 	if utilfeature.DefaultFeatureGate.Enabled(features.ClusterTrustBundle) {