UPSTREAM: <carry>: Revert "Remove Endpoints write access from aggrega…

…ted edit role" OpenShift has an admission controller to prevent restricted Endpoints changes, and there's no reason to block non-restricted changes (such as modifying the annotations of an Endpoints, which is done by "oc idle"). This reverts commit 416efda. OpenShift-Rebase-Source: 239b9ed
openshift · Sep 14, 2023 · bd2d0db · bd2d0db
1 parent 884b753
commit bd2d0db
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
@@ -311,7 +311,7 @@ func clusterRoles() []rbacv1.ClusterRole {
 				rbacv1helpers.NewRule(Write...).Groups(legacyGroup).Resources("pods", "pods/attach", "pods/proxy", "pods/exec", "pods/portforward").RuleOrDie(),
 				rbacv1helpers.NewRule("create").Groups(legacyGroup).Resources("pods/eviction").RuleOrDie(),
 				rbacv1helpers.NewRule(Write...).Groups(legacyGroup).Resources("replicationcontrollers", "replicationcontrollers/scale", "serviceaccounts",
-					"services", "services/proxy", "persistentvolumeclaims", "configmaps", "secrets", "events").RuleOrDie(),
+					"services", "services/proxy", "endpoints", "persistentvolumeclaims", "configmaps", "secrets", "events").RuleOrDie(),
 				rbacv1helpers.NewRule("create").Groups(legacyGroup).Resources("serviceaccounts/token").RuleOrDie(),
 
 				rbacv1helpers.NewRule(Write...).Groups(appsGroup).Resources(

diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
@@ -134,6 +134,7 @@ items:
     - ""
     resources:
     - configmaps
+    - endpoints
     - events
     - persistentvolumeclaims
     - replicationcontrollers