auth: fix infra policy for the deployment controller

openshift · May 3, 2017 · 2a4c744 · 2a4c744
1 parent 3e401f6
commit 2a4c744
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 4 deletions.
diff --git a/pkg/cmd/server/bootstrappolicy/infra_sa_policy.go b/pkg/cmd/server/bootstrappolicy/infra_sa_policy.go
@@ -208,7 +208,7 @@ func init() {
 				},
 				// DeploymentController.podClient
 				{
-					Verbs:     sets.NewString("get", "list", "create", "watch", "delete", "update"),
+					Verbs:     sets.NewString("get", "list", "watch"),
 					Resources: sets.NewString("pods"),
 				},
 				// DeploymentController.recorder (EventBroadcaster)
@@ -249,7 +249,7 @@ func init() {
 					APIGroups: []string{""},
 					// TODO: remove "update" once
 					// https://github.com/kubernetes/kubernetes/issues/36897 is resolved.
-					Verbs:     sets.NewString("get", "list", "watch", "update"),
+					Verbs:     sets.NewString("get", "list", "watch", "update", "patch", "delete"),
 					Resources: sets.NewString("pods"),
 				},
 				{

diff --git a/pkg/cmd/server/origin/master_config.go b/pkg/cmd/server/origin/master_config.go
@@ -998,7 +998,7 @@ func (c *MasterConfig) DeploymentConfigInstantiateClients() (*osclient.Client, k
 
 // DeploymentControllerClients returns the deployment controller client objects
 func (c *MasterConfig) DeploymentControllerClients() (*osclient.Client, kclientsetinternal.Interface, kclientsetexternal.Interface) {
-	_, osClient, internalKubeClientset, externalKubeClientset, err := c.GetServiceAccountClients(bootstrappolicy.InfraDeploymentConfigControllerServiceAccountName)
+	_, osClient, internalKubeClientset, externalKubeClientset, err := c.GetServiceAccountClients(bootstrappolicy.InfraDeploymentControllerServiceAccountName)
 	if err != nil {
 		glog.Fatal(err)
 	}
@@ -1012,7 +1012,12 @@ func (c *MasterConfig) DeploymentConfigClients() (*osclient.Client, kclientsetin
 
 // DeploymentConfigControllerClients returns the deploymentConfig controller client objects
 func (c *MasterConfig) DeploymentConfigControllerClients() (*osclient.Client, kclientsetinternal.Interface, kclientsetexternal.Interface) {
-	return c.PrivilegedLoopbackOpenShiftClient, c.PrivilegedLoopbackKubernetesClientsetInternal, c.PrivilegedLoopbackKubernetesClientsetExternal
+	_, osClient, internalKubeClientset, externalKubeClientset, err := c.GetServiceAccountClients(bootstrappolicy.InfraDeploymentConfigControllerServiceAccountName)
+	if err != nil {
+		glog.Fatal(err)
+	}
+	return osClient, internalKubeClientset, externalKubeClientset
+
 }
 
 // DeploymentTriggerControllerClient returns the deploymentConfig trigger controller client object