Add RBAC rules for settings config map (#2595)

* Add RBAC rules for settings config map * Remove delete rule for settings config map * Remove delete rule comment for settings config map * Update comments in YAML files * Update comments in YAML files

Add RBAC rules for settings config map (#2595)
* Add RBAC rules for settings config map * Remove delete rule for settings config map * Remove delete rule comment for settings config map * Update comments in YAML files * Update comments in YAML files
6dc75162 · Marcin Maciaszczyk · GitHub · 81a7d01c · 6dc75162 · 6dc75162
8 changed file
--- a/src/deploy/alternative/kubernetes-dashboard-arm-head.yaml
+++ b/src/deploy/alternative/kubernetes-dashboard-arm-head.yaml
@@ -37,15 +37,20 @@ metadata:
  name: kubernetes-dashboard-minimal
  namespace: kube-system
 rules:
-  # Allow Dashboard to create and watch for changes of 'kubernetes-dashboard-key-holder' secret.
+  # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
 - apiGroups: [""]
  resources: ["secrets"]
-  verbs: ["create", "watch"]
+  verbs: ["create"]
+  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
 - apiGroups: [""]
  resources: ["secrets"]
-  # Allow Dashboard to get, update and delete 'kubernetes-dashboard-key-holder' secret.
  resourceNames: ["kubernetes-dashboard-key-holder"]
  verbs: ["get", "update", "delete"]
+  # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
+- apiGroups: [""]
+  resources: ["configmaps"]
+  resourceNames: ["kubernetes-dashboard-settings"]
+  verbs: ["get", "update"]
  # Allow Dashboard to get metrics from heapster.
 - apiGroups: [""]
  resources: ["services"]

--- a/src/deploy/alternative/kubernetes-dashboard-arm.yaml
+++ b/src/deploy/alternative/kubernetes-dashboard-arm.yaml
@@ -41,11 +41,16 @@ rules:
 - apiGroups: [""]
  resources: ["secrets"]
  verbs: ["create", "watch"]
+  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
 - apiGroups: [""]
  resources: ["secrets"]
-  # Allow Dashboard to get, update and delete 'kubernetes-dashboard-key-holder' secret.
  resourceNames: ["kubernetes-dashboard-key-holder"]
  verbs: ["get", "update", "delete"]
+  # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
+- apiGroups: [""]
+  resources: ["configmaps"]
+  resourceNames: ["kubernetes-dashboard-settings"]
+  verbs: ["get", "update"]
  # Allow Dashboard to get metrics from heapster.
 - apiGroups: [""]
  resources: ["services"]

--- a/src/deploy/alternative/kubernetes-dashboard-head.yaml
+++ b/src/deploy/alternative/kubernetes-dashboard-head.yaml
@@ -37,15 +37,20 @@ metadata:
  name: kubernetes-dashboard-minimal
  namespace: kube-system
 rules:
-  # Allow Dashboard to create and watch for changes of 'kubernetes-dashboard-key-holder' secret.
+  # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
 - apiGroups: [""]
  resources: ["secrets"]
-  verbs: ["create", "watch"]
+  verbs: ["create"]
+  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
 - apiGroups: [""]
  resources: ["secrets"]
-  # Allow Dashboard to get, update and delete 'kubernetes-dashboard-key-holder' secret.
  resourceNames: ["kubernetes-dashboard-key-holder"]
  verbs: ["get", "update", "delete"]
+  # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
+- apiGroups: [""]
+  resources: ["configmaps"]
+  resourceNames: ["kubernetes-dashboard-settings"]
+  verbs: ["get", "update"]
  # Allow Dashboard to get metrics from heapster.
 - apiGroups: [""]
  resources: ["services"]

--- a/src/deploy/alternative/kubernetes-dashboard.yaml
+++ b/src/deploy/alternative/kubernetes-dashboard.yaml
@@ -41,11 +41,16 @@ rules:
 - apiGroups: [""]
  resources: ["secrets"]
  verbs: ["create", "watch"]
+  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
 - apiGroups: [""]
  resources: ["secrets"]
-  # Allow Dashboard to get, update and delete 'kubernetes-dashboard-key-holder' secret.
  resourceNames: ["kubernetes-dashboard-key-holder"]
  verbs: ["get", "update", "delete"]
+  # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
+- apiGroups: [""]
+  resources: ["configmaps"]
+  resourceNames: ["kubernetes-dashboard-settings"]
+  verbs: ["get", "update"]
  # Allow Dashboard to get metrics from heapster.
 - apiGroups: [""]
  resources: ["services"]

--- a/src/deploy/recommended/kubernetes-dashboard-arm-head.yaml
+++ b/src/deploy/recommended/kubernetes-dashboard-arm-head.yaml
@@ -48,15 +48,20 @@ metadata:
  name: kubernetes-dashboard-minimal-head
  namespace: kube-system
 rules:
-  # Allow Dashboard to create and watch for changes of 'kubernetes-dashboard-key-holder' secret.
+  # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
 - apiGroups: [""]
  resources: ["secrets"]
  verbs: ["create"]
+  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
 - apiGroups: [""]
  resources: ["secrets"]
-  # Allow Dashboard to get, update and delete 'kubernetes-dashboard-key-holder' and 'kubernetes-dashboard-certs' secrets.
  resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
  verbs: ["get", "update", "delete"]
+  # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
+- apiGroups: [""]
+  resources: ["configmaps"]
+  resourceNames: ["kubernetes-dashboard-settings"]
+  verbs: ["get", "update"]
  # Allow Dashboard to get metrics from heapster.
 - apiGroups: [""]
  resources: ["services"]

--- a/src/deploy/recommended/kubernetes-dashboard-arm.yaml
+++ b/src/deploy/recommended/kubernetes-dashboard-arm.yaml
@@ -52,11 +52,16 @@ rules:
 - apiGroups: [""]
  resources: ["secrets"]
  verbs: ["create", "watch"]
+  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
 - apiGroups: [""]
  resources: ["secrets"]
-  # Allow Dashboard to get, update and delete 'kubernetes-dashboard-key-holder' secret.
  resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
  verbs: ["get", "update", "delete"]
+  # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
+- apiGroups: [""]
+  resources: ["configmaps"]
+  resourceNames: ["kubernetes-dashboard-settings"]
+  verbs: ["get", "update"]
  # Allow Dashboard to get metrics from heapster.
 - apiGroups: [""]
  resources: ["services"]

--- a/src/deploy/recommended/kubernetes-dashboard-head.yaml
+++ b/src/deploy/recommended/kubernetes-dashboard-head.yaml
@@ -48,15 +48,20 @@ metadata:
  name: kubernetes-dashboard-minimal-head
  namespace: kube-system
 rules:
-  # Allow Dashboard to create and watch for changes of 'kubernetes-dashboard-key-holder' secret.
+  # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
 - apiGroups: [""]
  resources: ["secrets"]
  verbs: ["create"]
+  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
 - apiGroups: [""]
  resources: ["secrets"]
-  # Allow Dashboard to get, update and delete 'kubernetes-dashboard-key-holder' and 'kubernetes-dashboard-certs' secrets.
  resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
  verbs: ["get", "update", "delete"]
+  # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
+- apiGroups: [""]
+  resources: ["configmaps"]
+  resourceNames: ["kubernetes-dashboard-settings"]
+  verbs: ["get", "update"]
  # Allow Dashboard to get metrics from heapster.
 - apiGroups: [""]
  resources: ["services"]

--- a/src/deploy/recommended/kubernetes-dashboard.yaml
+++ b/src/deploy/recommended/kubernetes-dashboard.yaml
@@ -52,11 +52,16 @@ rules:
 - apiGroups: [""]
  resources: ["secrets"]
  verbs: ["create", "watch"]
+  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
 - apiGroups: [""]
  resources: ["secrets"]
-  # Allow Dashboard to get, update and delete 'kubernetes-dashboard-key-holder' secret.
  resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
  verbs: ["get", "update", "delete"]
+  # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
+- apiGroups: [""]
+  resources: ["configmaps"]
+  resourceNames: ["kubernetes-dashboard-settings"]
+  verbs: ["get", "update"]
  # Allow Dashboard to get metrics from heapster.
 - apiGroups: [""]
  resources: ["services"]