Merge pull request #14792 from smarterclayton/trigger_policy

smarterclayton · web-flow · commit 3cae5f520049 · 2017-06-26T23:15:34.000-04:00
Image change trigger must be able to create all build types
diff --git a/pkg/cmd/server/bootstrappolicy/controller_policy.go b/pkg/cmd/server/bootstrappolicy/controller_policy.go
@@ -7,6 +7,8 @@ import (
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	rbac "k8s.io/kubernetes/pkg/apis/rbac"
+
+	authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization"
 )
 
 const saRolePrefix = "system:openshift:controller:"
@@ -165,6 +167,15 @@ func init() {
 			rbac.NewRule("get", "update").Groups(batchGroup).Resources("cronjobs").RuleOrDie(),
 			rbac.NewRule("get", "update").Groups(deployGroup, legacyDeployGroup).Resources("deploymentconfigs").RuleOrDie(),
 			rbac.NewRule("create").Groups(buildGroup, legacyBuildGroup).Resources("buildconfigs/instantiate").RuleOrDie(),
+			// trigger controller must be able to modify these build types
+			// TODO: move to a new custom binding that can be removed separately from end user access?
+			rbac.NewRule("create").Groups(buildGroup, legacyBuildGroup).Resources(
+				authorizationapi.SourceBuildResource,
+				authorizationapi.DockerBuildResource,
+				authorizationapi.OptimizedDockerBuildResource,
+				authorizationapi.JenkinsPipelineBuildResource,
+			).RuleOrDie(),
+
 			eventsRule(),
 		},
 	})
diff --git a/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml b/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml
@@ -3493,6 +3493,17 @@ items:
     - buildconfigs/instantiate
     verbs:
     - create
+  - apiGroups:
+    - ""
+    - build.openshift.io
+    attributeRestrictions: null
+    resources:
+    - builds/docker
+    - builds/jenkinspipeline
+    - builds/optimizeddocker
+    - builds/source
+    verbs:
+    - create
   - apiGroups:
     - ""
     attributeRestrictions: null
