kubernetes · k8s-ci-robot · Feb 8, 2019 · Jan 2, 2019
diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/namespace_policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/namespace_policy.go
@@ -23,6 +23,7 @@ import (
 
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apiserver/pkg/authentication/user"
 	rbacv1helpers "k8s.io/kubernetes/pkg/apis/rbac/v1"
 )
 
@@ -119,10 +120,15 @@ func init() {
 			rbacv1helpers.NewRule("get", "update").Groups(legacyGroup).Resources("configmaps").Names("kube-scheduler").RuleOrDie(),
 		},
 	})
+
+	delegatedAuthBinding := rbacv1helpers.NewRoleBinding("extension-apiserver-authentication-reader", metav1.NamespaceSystem).Users(user.KubeControllerManager, user.KubeScheduler).BindingOrDie()
+	delegatedAuthBinding.Name = "system::extension-apiserver-authentication-reader"
+	addNamespaceRoleBinding(metav1.NamespaceSystem, delegatedAuthBinding)
+
 	addNamespaceRoleBinding(metav1.NamespaceSystem,
-		rbacv1helpers.NewRoleBinding("system::leader-locking-kube-controller-manager", metav1.NamespaceSystem).SAs(metav1.NamespaceSystem, "kube-controller-manager").BindingOrDie())
+		rbacv1helpers.NewRoleBinding("system::leader-locking-kube-controller-manager", metav1.NamespaceSystem).Users(user.KubeControllerManager).SAs(metav1.NamespaceSystem, "kube-controller-manager").BindingOrDie())
 	addNamespaceRoleBinding(metav1.NamespaceSystem,
-		rbacv1helpers.NewRoleBinding("system::leader-locking-kube-scheduler", metav1.NamespaceSystem).SAs(metav1.NamespaceSystem, "kube-scheduler").BindingOrDie())
+		rbacv1helpers.NewRoleBinding("system::leader-locking-kube-scheduler", metav1.NamespaceSystem).Users(user.KubeScheduler).SAs(metav1.NamespaceSystem, "kube-scheduler").BindingOrDie())
 	addNamespaceRoleBinding(metav1.NamespaceSystem,
 		rbacv1helpers.NewRoleBinding(saRolePrefix+"bootstrap-signer", metav1.NamespaceSystem).SAs(metav1.NamespaceSystem, "bootstrap-signer").BindingOrDie())
 	// cloud-provider is deprecated starting Kubernetes 1.10 and will be deleted according to GA deprecation policy.

diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
@@ -407,6 +407,7 @@ func ClusterRoles() []rbacv1.ClusterRole {
 				rbacv1helpers.NewRule("update").Groups(legacyGroup).Resources("endpoints", "secrets", "serviceaccounts").RuleOrDie(),
 				// Needed to check API access.  These creates are non-mutating
 				rbacv1helpers.NewRule("create").Groups(authenticationGroup).Resources("tokenreviews").RuleOrDie(),
+				rbacv1helpers.NewRule("create").Groups(authorizationGroup).Resources("subjectaccessreviews").RuleOrDie(),
 				// Needed for all shared informers
 				rbacv1helpers.NewRule("list", "watch").Groups("*").Resources("*").RuleOrDie(),
 			},
@@ -434,6 +435,9 @@ func ClusterRoles() []rbacv1.ClusterRole {
 				// things that pods use or applies to them
 				rbacv1helpers.NewRule(Read...).Groups(policyGroup).Resources("poddisruptionbudgets").RuleOrDie(),
 				rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("persistentvolumeclaims", "persistentvolumes").RuleOrDie(),
+				// Needed to check API access.  These creates are non-mutating
+				rbacv1helpers.NewRule("create").Groups(authenticationGroup).Resources("tokenreviews").RuleOrDie(),
+				rbacv1helpers.NewRule("create").Groups(authorizationGroup).Resources("subjectaccessreviews").RuleOrDie(),
 			},
 		},
 		{

diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
@@ -662,6 +662,12 @@ items:
     - tokenreviews
     verbs:
     - create
+  - apiGroups:
+    - authorization.k8s.io
+    resources:
+    - subjectaccessreviews
+    verbs:
+    - create
   - apiGroups:
     - '*'
     resources:
@@ -796,6 +802,18 @@ items:
     - get
     - list
     - watch
+  - apiGroups:
+    - authentication.k8s.io
+    resources:
+    - tokenreviews
+    verbs:
+    - create
+  - apiGroups:
+    - authorization.k8s.io
+    resources:
+    - subjectaccessreviews
+    verbs:
+    - create
 - apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRole
   metadata:

diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/namespace-role-bindings.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/namespace-role-bindings.yaml
@@ -18,6 +18,27 @@ items:
   - kind: ServiceAccount
     name: bootstrap-signer
     namespace: kube-system
+- apiVersion: rbac.authorization.k8s.io/v1
+  kind: RoleBinding
+  metadata:
+    annotations:
+      rbac.authorization.kubernetes.io/autoupdate: "true"
+    creationTimestamp: null
+    labels:
+      kubernetes.io/bootstrapping: rbac-defaults
+    name: system::extension-apiserver-authentication-reader
+    namespace: kube-system
+  roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: Role
+    name: extension-apiserver-authentication-reader
+  subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: User
+    name: system:kube-controller-manager
+  - apiGroup: rbac.authorization.k8s.io
+    kind: User
+    name: system:kube-scheduler
 - apiVersion: rbac.authorization.k8s.io/v1
   kind: RoleBinding
   metadata:
@@ -33,6 +54,9 @@ items:
     kind: Role
     name: system::leader-locking-kube-controller-manager
   subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: User
+    name: system:kube-controller-manager
   - kind: ServiceAccount
     name: kube-controller-manager
     namespace: kube-system
@@ -51,6 +75,9 @@ items:
     kind: Role
     name: system::leader-locking-kube-scheduler
   subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: User
+    name: system:kube-scheduler
   - kind: ServiceAccount
     name: kube-scheduler
     namespace: kube-system

diff --git a/test/integration/serving/BUILD b/test/integration/serving/BUILD
@@ -22,11 +22,8 @@ go_test(
         "//cmd/kube-controller-manager/app/testing:go_default_library",
         "//cmd/kube-scheduler/app/testing:go_default_library",
         "//pkg/cloudprovider/providers/fake:go_default_library",
-        "//staging/src/k8s.io/api/rbac/v1:go_default_library",
-        "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/server:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/server/options:go_default_library",
-        "//staging/src/k8s.io/client-go/kubernetes:go_default_library",
         "//staging/src/k8s.io/cloud-provider:go_default_library",
         "//test/integration/framework:go_default_library",
     ],

diff --git a/test/integration/serving/serving_test.go b/test/integration/serving/serving_test.go
@@ -28,11 +28,8 @@ import (
 	"strings"
 	"testing"
 
-	rbacv1 "k8s.io/api/rbac/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apiserver/pkg/server"
 	"k8s.io/apiserver/pkg/server/options"
-	"k8s.io/client-go/kubernetes"
 	"k8s.io/cloud-provider"
 	cloudctrlmgrtesting "k8s.io/kubernetes/cmd/cloud-controller-manager/app/testing"
 	kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing"
@@ -49,6 +46,8 @@ type componentTester interface {
 type kubeControllerManagerTester struct{}
 
 func (kubeControllerManagerTester) StartTestServer(t kubectrlmgrtesting.Logger, customFlags []string) (*options.SecureServingOptionsWithLoopback, *server.SecureServingInfo, *server.DeprecatedInsecureServingInfo, func(), error) {
+	// avoid starting any controller loops, we're just testing serving
+	customFlags = append([]string{"--controllers="}, customFlags...)
 	gotResult, err := kubectrlmgrtesting.StartTestServer(t, customFlags)
 	if err != nil {
 		return nil, nil, nil, nil, err
@@ -96,7 +95,7 @@ func TestComponentSecureServingAndAuth(t *testing.T) {
 		t.Fatal(err)
 	}
 	tokenFile.WriteString(fmt.Sprintf(`
-%s,controller-manager,controller-manager,""
+%s,system:kube-controller-manager,system:kube-controller-manager,""
 `, token))
 	tokenFile.Close()
 
@@ -107,44 +106,6 @@ func TestComponentSecureServingAndAuth(t *testing.T) {
 	}, framework.SharedEtcd())
 	defer server.TearDownFn()
 
-	// allow controller-manager to do SubjectAccessReview
-	client, err := kubernetes.NewForConfig(server.ClientConfig)
-	if err != nil {
-		t.Fatalf("unexpected error creating client config: %v", err)
-	}
-	_, err = client.RbacV1().ClusterRoleBindings().Create(&rbacv1.ClusterRoleBinding{
-		ObjectMeta: metav1.ObjectMeta{Name: "controller-manager:system:auth-delegator"},
-		Subjects: []rbacv1.Subject{{
-			Kind: "User",
-			Name: "controller-manager",
-		}},
-		RoleRef: rbacv1.RoleRef{
-			APIGroup: "rbac.authorization.k8s.io",
-			Kind:     "ClusterRole",
-			Name:     "system:auth-delegator",
-		},
-	})
-	if err != nil {
-		t.Fatalf("failed to create system:auth-delegator rbac cluster role binding: %v", err)
-	}
-
-	// allow controller-manager to read kube-system/extension-apiserver-authentication
-	_, err = client.RbacV1().RoleBindings("kube-system").Create(&rbacv1.RoleBinding{
-		ObjectMeta: metav1.ObjectMeta{Name: "controller-manager:extension-apiserver-authentication-reader"},
-		Subjects: []rbacv1.Subject{{
-			Kind: "User",
-			Name: "controller-manager",
-		}},
-		RoleRef: rbacv1.RoleRef{
-			APIGroup: "rbac.authorization.k8s.io",
-			Kind:     "Role",
-			Name:     "extension-apiserver-authentication-reader",
-		},
-	})
-	if err != nil {
-		t.Fatalf("failed to create controller-manager:extension-apiserver-authentication-reader rbac role binding: %v", err)
-	}
-
 	// create kubeconfig for the apiserver
 	apiserverConfig, err := ioutil.TempFile("", "kubeconfig")
 	if err != nil {