Merge pull request #14968 from smarterclayton/wrong_policy_network

SDN controller requires access to watch resources
openshift · Jun 30, 2017 · b80c2fb · b80c2fb
2 parents dc5a05f + b9822a1
commit b80c2fb
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 23 deletions.
diff --git a/pkg/cmd/server/bootstrappolicy/controller_policy.go b/pkg/cmd/server/bootstrappolicy/controller_policy.go
@@ -206,15 +206,13 @@ func init() {
 		ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + InfraSDNControllerServiceAccountName},
 		Rules: []rbac.PolicyRule{
 			rbac.NewRule("get", "create", "update").Groups(networkGroup, legacyNetworkGroup).Resources("clusternetworks").RuleOrDie(),
-			rbac.NewRule("get", "list").Groups(networkGroup, legacyNetworkGroup).Resources("egressnetworkpolicies").RuleOrDie(),
-			rbac.NewRule("get", "list", "create", "delete").Groups(networkGroup, legacyNetworkGroup).Resources("hostsubnets").RuleOrDie(),
-			rbac.NewRule("get", "list", "create", "update", "delete").Groups(networkGroup, legacyNetworkGroup).Resources("netnamespaces").RuleOrDie(),
+			rbac.NewRule("get", "list", "watch", "create", "delete").Groups(networkGroup, legacyNetworkGroup).Resources("hostsubnets").RuleOrDie(),
+			rbac.NewRule("get", "list", "watch", "create", "update", "delete").Groups(networkGroup, legacyNetworkGroup).Resources("netnamespaces").RuleOrDie(),
 			rbac.NewRule("get", "list").Groups(kapiGroup).Resources("pods").RuleOrDie(),
-			rbac.NewRule("list").Groups(kapiGroup).Resources("services").RuleOrDie(),
-			rbac.NewRule("list").Groups(kapiGroup).Resources("namespaces").RuleOrDie(),
-			rbac.NewRule("get").Groups(kapiGroup).Resources("nodes").RuleOrDie(),
+			rbac.NewRule("get", "list", "watch").Groups(kapiGroup).Resources("services").RuleOrDie(),
+			rbac.NewRule("get", "list", "watch").Groups(kapiGroup).Resources("namespaces").RuleOrDie(),
+			rbac.NewRule("get", "list", "watch").Groups(kapiGroup).Resources("nodes").RuleOrDie(),
 			rbac.NewRule("update").Groups(kapiGroup).Resources("nodes/status").RuleOrDie(),
-			rbac.NewRule("list").Groups(extensionsGroup).Resources("networkPolicies").RuleOrDie(),
 
 			eventsRule(),
 		},

diff --git a/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml b/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml
@@ -3620,15 +3620,6 @@ items:
     - create
     - get
     - update
-  - apiGroups:
-    - ""
-    - network.openshift.io
-    attributeRestrictions: null
-    resources:
-    - egressnetworkpolicies
-    verbs:
-    - get
-    - list
   - apiGroups:
     - ""
     - network.openshift.io
@@ -3640,6 +3631,7 @@ items:
     - delete
     - get
     - list
+    - watch
   - apiGroups:
     - ""
     - network.openshift.io
@@ -3652,6 +3644,7 @@ items:
     - get
     - list
     - update
+    - watch
   - apiGroups:
     - ""
     attributeRestrictions: null
@@ -3666,35 +3659,34 @@ items:
     resources:
     - services
     verbs:
+    - get
     - list
+    - watch
   - apiGroups:
     - ""
     attributeRestrictions: null
     resources:
     - namespaces
     verbs:
+    - get
     - list
+    - watch
   - apiGroups:
     - ""
     attributeRestrictions: null
     resources:
     - nodes
     verbs:
     - get
+    - list
+    - watch
   - apiGroups:
     - ""
     attributeRestrictions: null
     resources:
     - nodes/status
     verbs:
     - update
-  - apiGroups:
-    - extensions
-    attributeRestrictions: null
-    resources:
-    - networkPolicies
-    verbs:
-    - list
   - apiGroups:
     - ""
     attributeRestrictions: null