From a6ce2507157d7d1f1af10fcc77cd17886841ce1c Mon Sep 17 00:00:00 2001 From: Patrick Ohly Date: Thu, 13 Jun 2024 08:25:00 +0200 Subject: [PATCH] kubelet: grant permission for DeleteCollection also with RBAC If the node authorizer is active, RBAC rules are not needed. But if it's disabled, kubelet needs to get permission through RBAC. In contrast to the authorizer code which is a bit more flexible and isn't directly tied to the current kubelet implementation (i.e. it allows list+delete instead of just deletecollection), the RBAC entry is just for what the current kubelet does because it's a bit easier to change. --- plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go | 1 + 1 file changed, 1 insertion(+) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go index f91da6e2673dd..8e3f4090c2e97 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go @@ -181,6 +181,7 @@ func NodeRules() []rbacv1.PolicyRule { // DRA Resource Claims if utilfeature.DefaultFeatureGate.Enabled(features.DynamicResourceAllocation) { nodePolicyRules = append(nodePolicyRules, rbacv1helpers.NewRule("get").Groups(resourceGroup).Resources("resourceclaims").RuleOrDie()) + nodePolicyRules = append(nodePolicyRules, rbacv1helpers.NewRule("deletecollection").Groups(resourceGroup).Resources("resourceslices").RuleOrDie()) } // Kubelet needs access to ClusterTrustBundles to support the pemTrustAnchors volume type. if utilfeature.DefaultFeatureGate.Enabled(features.ClusterTrustBundle) {