Add bootstrap cluster role for external pv provisioners

Matthew Wong · Matthew Wong · commit da4c4c484818 · 2017-03-09T17:55:34.000-05:00
diff --git a/pkg/cmd/server/bootstrappolicy/constants.go b/pkg/cmd/server/bootstrappolicy/constants.go
@@ -67,23 +67,24 @@ const (
 	BuildStrategySourceRoleName          = "system:build-strategy-source"
 	BuildStrategyJenkinsPipelineRoleName = "system:build-strategy-jenkinspipeline"
 
-	ImageAuditorRoleName      = "system:image-auditor"
-	ImagePullerRoleName       = "system:image-puller"
-	ImagePusherRoleName       = "system:image-pusher"
-	ImageBuilderRoleName      = "system:image-builder"
-	ImagePrunerRoleName       = "system:image-pruner"
-	ImageSignerRoleName       = "system:image-signer"
-	DeployerRoleName          = "system:deployer"
-	RouterRoleName            = "system:router"
-	RegistryRoleName          = "system:registry"
-	MasterRoleName            = "system:master"
-	NodeRoleName              = "system:node"
-	NodeProxierRoleName       = "system:node-proxier"
-	SDNReaderRoleName         = "system:sdn-reader"
-	SDNManagerRoleName        = "system:sdn-manager"
-	OAuthTokenDeleterRoleName = "system:oauth-token-deleter"
-	WebHooksRoleName          = "system:webhook"
-	DiscoveryRoleName         = "system:discovery"
+	ImageAuditorRoleName                = "system:image-auditor"
+	ImagePullerRoleName                 = "system:image-puller"
+	ImagePusherRoleName                 = "system:image-pusher"
+	ImageBuilderRoleName                = "system:image-builder"
+	ImagePrunerRoleName                 = "system:image-pruner"
+	ImageSignerRoleName                 = "system:image-signer"
+	DeployerRoleName                    = "system:deployer"
+	RouterRoleName                      = "system:router"
+	RegistryRoleName                    = "system:registry"
+	MasterRoleName                      = "system:master"
+	NodeRoleName                        = "system:node"
+	NodeProxierRoleName                 = "system:node-proxier"
+	SDNReaderRoleName                   = "system:sdn-reader"
+	SDNManagerRoleName                  = "system:sdn-manager"
+	OAuthTokenDeleterRoleName           = "system:oauth-token-deleter"
+	WebHooksRoleName                    = "system:webhook"
+	DiscoveryRoleName                   = "system:discovery"
+	PersistentVolumeProvisionerRoleName = "system:persistent-volume-provisioner"
 
 	// NodeAdmin has full access to the API provided by the kubelet
 	NodeAdminRoleName = "system:node-admin"
diff --git a/pkg/cmd/server/bootstrappolicy/policy.go b/pkg/cmd/server/bootstrappolicy/policy.go
@@ -815,6 +815,22 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole {
 				authorizationapi.DiscoveryRule,
 			},
 		},
+		{
+			ObjectMeta: kapi.ObjectMeta{
+				Name: PersistentVolumeProvisionerRoleName,
+				Annotations: map[string]string{
+					roleSystemOnly: roleIsSystemOnly,
+				},
+			},
+			Rules: []authorizationapi.PolicyRule{
+				authorizationapi.NewRule("get", "list", "watch", "create", "delete").Groups(kapiGroup).Resources("persistentvolumes").RuleOrDie(),
+				// update is needed in addition to read access for setting lock annotations on PVCs
+				authorizationapi.NewRule("get", "list", "watch", "update").Groups(kapiGroup).Resources("persistentvolumeclaims").RuleOrDie(),
+				authorizationapi.NewRule(read...).Groups(storageGroup).Resources("storageclasses").RuleOrDie(),
+				// Needed for watching provisioning success and failure events
+				authorizationapi.NewRule("create", "update", "patch", "watch").Groups(kapiGroup).Resources("events").RuleOrDie(),
+			},
+		},
 
 		{
 			ObjectMeta: kapi.ObjectMeta{
diff --git a/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml b/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml
@@ -2344,6 +2344,54 @@ items:
     resources: []
     verbs:
     - get
+- apiVersion: v1
+  kind: ClusterRole
+  metadata:
+    annotations:
+      authorization.openshift.io/system-only: "true"
+    creationTimestamp: null
+    name: system:persistent-volume-provisioner
+  rules:
+  - apiGroups:
+    - ""
+    attributeRestrictions: null
+    resources:
+    - persistentvolumes
+    verbs:
+    - create
+    - delete
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - ""
+    attributeRestrictions: null
+    resources:
+    - persistentvolumeclaims
+    verbs:
+    - get
+    - list
+    - update
+    - watch
+  - apiGroups:
+    - storage.k8s.io
+    attributeRestrictions: null
+    resources:
+    - storageclasses
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - ""
+    attributeRestrictions: null
+    resources:
+    - events
+    verbs:
+    - create
+    - patch
+    - update
+    - watch
 - apiVersion: v1
   kind: ClusterRole
   metadata:
