Merge pull request #10933 from liggitt/master-non-resource-permissions-1.3.1

smarterclayton · web-flow · commit 82fc7323cdc4 · 2016-09-18T20:18:16.000-04:00
Ensure system:master has full permissions on non-resource-urls
diff --git a/pkg/cmd/server/bootstrappolicy/policy.go b/pkg/cmd/server/bootstrappolicy/policy.go
@@ -490,6 +490,10 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole {
 			},
 			Rules: []authorizationapi.PolicyRule{
 				authorizationapi.NewRule("*").Groups("*").Resources("*").RuleOrDie(),
+				{
+					Verbs:           sets.NewString(authorizationapi.VerbAll),
+					NonResourceURLs: sets.NewString(authorizationapi.NonResourceAll),
+				},
 			},
 		},
 		{
diff --git a/pkg/cmd/server/bootstrappolicy/policy_test.go b/pkg/cmd/server/bootstrappolicy/policy_test.go
@@ -103,6 +103,9 @@ func TestCovers(t *testing.T) {
 	var registryAdmin *authorizationapi.ClusterRole
 	var registryEditor *authorizationapi.ClusterRole
 	var registryViewer *authorizationapi.ClusterRole
+	var systemMaster *authorizationapi.ClusterRole
+	var systemDiscovery *authorizationapi.ClusterRole
+	var clusterAdmin *authorizationapi.ClusterRole
 
 	for i := range allRoles {
 		role := allRoles[i]
@@ -119,6 +122,12 @@ func TestCovers(t *testing.T) {
 			registryEditor = &role
 		case bootstrappolicy.RegistryViewerRoleName:
 			registryViewer = &role
+		case bootstrappolicy.MasterRoleName:
+			systemMaster = &role
+		case bootstrappolicy.DiscoveryRoleName:
+			systemDiscovery = &role
+		case bootstrappolicy.ClusterAdminRoleName:
+			clusterAdmin = &role
 		}
 	}
 
@@ -140,4 +149,13 @@ func TestCovers(t *testing.T) {
 	if covers, miss := rulevalidation.Covers(registryAdmin.Rules, registryViewer.Rules); !covers {
 		t.Errorf("failed to cover: %#v", miss)
 	}
+
+	// Make sure we can auto-reconcile discovery
+	if covers, miss := rulevalidation.Covers(systemMaster.Rules, systemDiscovery.Rules); !covers {
+		t.Errorf("failed to cover: %#v", miss)
+	}
+	// Make sure the master has full permissions
+	if covers, miss := rulevalidation.Covers(systemMaster.Rules, clusterAdmin.Rules); !covers {
+		t.Errorf("failed to cover: %#v", miss)
+	}
 }
diff --git a/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml b/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml
@@ -1653,6 +1653,13 @@ items:
     - '*'
     verbs:
     - '*'
+  - apiGroups: null
+    attributeRestrictions: null
+    nonResourceURLs:
+    - '*'
+    resources: []
+    verbs:
+    - '*'
 - apiVersion: v1
   kind: ClusterRole
   metadata:
