@@ -131,6 +131,12 @@ func GetOpenshiftBootstrapClusterRoles() []rbacv1.ClusterRole {
131
131
ObjectMeta : metav1.ObjectMeta {
132
132
Name : ClusterReaderRoleName ,
133
133
},
134
+ AggregationRule : & rbacv1.AggregationRule {
135
+ ClusterRoleSelectors : []metav1.LabelSelector {{MatchLabels : map [string ]string {"rbac.authorization.k8s.io/aggregate-to-cluster-reader" : "true" }}},
136
+ },
137
+ },
138
+ {
139
+ ObjectMeta : metav1.ObjectMeta {Name : AggregatedClusterReaderRoleName , Labels : map [string ]string {"rbac.authorization.k8s.io/aggregate-to-cluster-reader" : "true" }},
134
140
Rules : []rbacv1.PolicyRule {
135
141
rbacv1helpers .NewRule (read ... ).Groups (kapiGroup ).Resources ("bindings" , "componentstatuses" , "configmaps" , "endpoints" , "events" , "limitranges" ,
136
142
"namespaces" , "namespaces/status" , "nodes" , "nodes/status" , "persistentvolumeclaims" , "persistentvolumeclaims/status" , "persistentvolumes" ,
@@ -173,30 +179,23 @@ func GetOpenshiftBootstrapClusterRoles() []rbacv1.ClusterRole {
173
179
174
180
rbacv1helpers .NewRule (read ... ).Groups (authzGroup , legacyAuthzGroup ).Resources ("clusterroles" , "clusterrolebindings" , "roles" , "rolebindings" , "rolebindingrestrictions" ).RuleOrDie (),
175
181
176
- rbacv1helpers .NewRule (read ... ).Groups (buildGroup , legacyBuildGroup ).Resources ("builds" , "builds /details" , "buildconfigs" , "buildconfigs/webhooks" , "builds/log " ).RuleOrDie (),
182
+ rbacv1helpers .NewRule (read ... ).Groups (buildGroup , legacyBuildGroup ).Resources ("builds/details" ).RuleOrDie (),
177
183
178
- rbacv1helpers .NewRule (read ... ).Groups (deployGroup , legacyDeployGroup ).Resources ("deploymentconfigs" , "deploymentconfigs/scale" , "deploymentconfigs/log" ,
179
- "deploymentconfigs/status" ).RuleOrDie (),
180
-
181
- rbacv1helpers .NewRule (read ... ).Groups (imageGroup , legacyImageGroup ).Resources ("images" , "imagesignatures" , "imagestreams" , "imagestreamtags" , "imagestreamimages" ,
182
- "imagestreams/status" ).RuleOrDie (),
184
+ rbacv1helpers .NewRule (read ... ).Groups (imageGroup , legacyImageGroup ).Resources ("images" , "imagesignatures" ).RuleOrDie (),
183
185
// pull images
184
186
rbacv1helpers .NewRule ("get" ).Groups (imageGroup , legacyImageGroup ).Resources ("imagestreams/layers" ).RuleOrDie (),
185
187
186
188
rbacv1helpers .NewRule (read ... ).Groups (oauthGroup , legacyOauthGroup ).Resources ("oauthclientauthorizations" ).RuleOrDie (),
187
189
188
190
rbacv1helpers .NewRule (read ... ).Groups (projectGroup , legacyProjectGroup ).Resources ("projectrequests" , "projects" ).RuleOrDie (),
189
191
190
- rbacv1helpers .NewRule (read ... ).Groups (quotaGroup , legacyQuotaGroup ).Resources ("appliedclusterresourcequotas" , "clusterresourcequotas" , "clusterresourcequotas/status" ).RuleOrDie (),
191
-
192
- rbacv1helpers .NewRule (read ... ).Groups (routeGroup , legacyRouteGroup ).Resources ("routes" , "routes/status" ).RuleOrDie (),
192
+ rbacv1helpers .NewRule (read ... ).Groups (quotaGroup , legacyQuotaGroup ).Resources ("clusterresourcequotas" , "clusterresourcequotas/status" ).RuleOrDie (),
193
193
194
194
rbacv1helpers .NewRule (read ... ).Groups (networkGroup , legacyNetworkGroup ).Resources ("clusternetworks" , "egressnetworkpolicies" , "hostsubnets" , "netnamespaces" ).RuleOrDie (),
195
195
196
196
rbacv1helpers .NewRule (read ... ).Groups (securityGroup , legacySecurityGroup ).Resources ("securitycontextconstraints" ).RuleOrDie (),
197
197
rbacv1helpers .NewRule (read ... ).Groups (securityGroup ).Resources ("rangeallocations" ).RuleOrDie (),
198
198
199
- rbacv1helpers .NewRule (read ... ).Groups (templateGroup , legacyTemplateGroup ).Resources ("templates" , "templateconfigs" , "processedtemplates" , "templateinstances" ).RuleOrDie (),
200
199
rbacv1helpers .NewRule (read ... ).Groups (templateGroup , legacyTemplateGroup ).Resources ("brokertemplateinstances" , "templateinstances/status" ).RuleOrDie (),
201
200
202
201
rbacv1helpers .NewRule (read ... ).Groups (userGroup , legacyUserGroup ).Resources ("groups" , "identities" , "useridentitymappings" , "users" ).RuleOrDie (),
@@ -215,10 +214,6 @@ func GetOpenshiftBootstrapClusterRoles() []rbacv1.ClusterRole {
215
214
rbacv1helpers .NewRule ("get" , "create" ).Groups (kapiGroup ).Resources ("nodes/" + NodeStatsSubresource ).RuleOrDie (),
216
215
217
216
rbacv1helpers .NewRule ("get" ).URLs (rbac .NonResourceAll ).RuleOrDie (),
218
-
219
- // backwards compatibility
220
- rbacv1helpers .NewRule (read ... ).Groups (buildGroup , legacyBuildGroup ).Resources ("buildlogs" ).RuleOrDie (),
221
- rbacv1helpers .NewRule (read ... ).Groups (kapiGroup ).Resources ("resourcequotausages" ).RuleOrDie (),
222
217
},
223
218
},
224
219
{
@@ -363,7 +358,10 @@ func GetOpenshiftBootstrapClusterRoles() []rbacv1.ClusterRole {
363
358
{
364
359
// a role for namespace level viewing. It grants Read-only access to non-escalating resources in
365
360
// a namespace.
366
- ObjectMeta : metav1.ObjectMeta {Name : AggregatedViewRoleName , Labels : map [string ]string {"rbac.authorization.k8s.io/aggregate-to-view" : "true" }},
361
+ ObjectMeta : metav1.ObjectMeta {Name : AggregatedViewRoleName , Labels : map [string ]string {
362
+ "rbac.authorization.k8s.io/aggregate-to-view" : "true" ,
363
+ "rbac.authorization.k8s.io/aggregate-to-cluster-reader" : "true" ,
364
+ }},
367
365
Rules : []rbacv1.PolicyRule {
368
366
rbacv1helpers .NewRule (read ... ).Groups (buildGroup , legacyBuildGroup ).Resources ("builds" , "buildconfigs" , "buildconfigs/webhooks" ).RuleOrDie (),
369
367
rbacv1helpers .NewRule (read ... ).Groups (buildGroup , legacyBuildGroup ).Resources ("builds/log" ).RuleOrDie (),
@@ -1010,8 +1008,9 @@ func GetBootstrapNamespaceRoleBindings() map[string][]rbacv1.RoleBinding {
1010
1008
1011
1009
func GetBootstrapClusterRolesToAggregate () map [string ]string {
1012
1010
return map [string ]string {
1013
- AdminRoleName : AggregatedAdminRoleName ,
1014
- EditRoleName : AggregatedEditRoleName ,
1015
- ViewRoleName : AggregatedViewRoleName ,
1011
+ AdminRoleName : AggregatedAdminRoleName ,
1012
+ EditRoleName : AggregatedEditRoleName ,
1013
+ ViewRoleName : AggregatedViewRoleName ,
1014
+ ClusterReaderRoleName : AggregatedClusterReaderRoleName ,
1016
1015
}
1017
1016
}
0 commit comments