Added Policy for PVC Protection Alpha Feature

PVC Protection alpha feature was added into K8s 1.9. A part of the PVC Protection alpha feature implementation is a PVC Protection Controller that needs policy.

That's why the policy was added for the PVC Protection Controller. The PVC Protection Controller watches PVCs and Pods and updates PVCs.

pkg/cmd/server/bootstrappolicy/controller_policy.go

@@ -17,23 +17,24 @@ import (
 const saRolePrefix = "system:openshift:controller:"
 
 const (
-	InfraOriginNamespaceServiceAccountName                      = "origin-namespace-controller"
-	InfraServiceAccountControllerServiceAccountName             = "serviceaccount-controller"
-	InfraServiceAccountPullSecretsControllerServiceAccountName  = "serviceaccount-pull-secrets-controller"
-	InfraServiceAccountTokensControllerServiceAccountName       = "serviceaccount-tokens-controller"
-	InfraServiceServingCertServiceAccountName                   = "service-serving-cert-controller"
-	InfraBuildControllerServiceAccountName                      = "build-controller"
-	InfraBuildConfigChangeControllerServiceAccountName          = "build-config-change-controller"
-	InfraDeploymentConfigControllerServiceAccountName           = "deploymentconfig-controller"
-	InfraDeployerControllerServiceAccountName                   = "deployer-controller"
-	InfraImageTriggerControllerServiceAccountName               = "image-trigger-controller"
-	InfraImageImportControllerServiceAccountName                = "image-import-controller"
-	InfraSDNControllerServiceAccountName                        = "sdn-controller"
-	InfraClusterQuotaReconciliationControllerServiceAccountName = "cluster-quota-reconciliation-controller"
-	InfraUnidlingControllerServiceAccountName                   = "unidling-controller"
-	InfraServiceIngressIPControllerServiceAccountName           = "service-ingress-ip-controller"
-	InfraPersistentVolumeRecyclerControllerServiceAccountName   = "pv-recycler-controller"
-	InfraResourceQuotaControllerServiceAccountName              = "resourcequota-controller"
+	InfraOriginNamespaceServiceAccountName                           = "origin-namespace-controller"
+	InfraServiceAccountControllerServiceAccountName                  = "serviceaccount-controller"
+	InfraServiceAccountPullSecretsControllerServiceAccountName       = "serviceaccount-pull-secrets-controller"
+	InfraServiceAccountTokensControllerServiceAccountName            = "serviceaccount-tokens-controller"
+	InfraServiceServingCertServiceAccountName                        = "service-serving-cert-controller"
+	InfraBuildControllerServiceAccountName                           = "build-controller"
+	InfraBuildConfigChangeControllerServiceAccountName               = "build-config-change-controller"
+	InfraDeploymentConfigControllerServiceAccountName                = "deploymentconfig-controller"
+	InfraDeployerControllerServiceAccountName                        = "deployer-controller"
+	InfraImageTriggerControllerServiceAccountName                    = "image-trigger-controller"
+	InfraImageImportControllerServiceAccountName                     = "image-import-controller"
+	InfraSDNControllerServiceAccountName                             = "sdn-controller"
+	InfraClusterQuotaReconciliationControllerServiceAccountName      = "cluster-quota-reconciliation-controller"
+	InfraUnidlingControllerServiceAccountName                        = "unidling-controller"
+	InfraServiceIngressIPControllerServiceAccountName                = "service-ingress-ip-controller"
+	InfraPersistentVolumeRecyclerControllerServiceAccountName        = "pv-recycler-controller"
+	InfraResourceQuotaControllerServiceAccountName                   = "resourcequota-controller"
+	InfraPersistentVolumeClaimProtectionControllerServiceAccountName = "pvc-protection-controller"
 
 	// template instance controller watches for TemplateInstance object creation
 	// and instantiates templates as a result.
@@ -347,6 +348,16 @@ func init() {
 			eventsRule(),
 		},
 	})
+
+	// pvc-protection-controller
+	addControllerRole(rbac.ClusterRole{
+		ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + InfraPersistentVolumeClaimProtectionControllerServiceAccountName},
+		Rules: []rbac.PolicyRule{
+			rbac.NewRule("get", "update", "list", "watch").Groups(kapiGroup).Resources("persistentvolumeclaims").RuleOrDie(),
+			rbac.NewRule("get", "list", "watch").Groups(kapiGroup).Resources("pods").RuleOrDie(),
+			eventsRule(),
+		},
+	})
 }
 
 // ControllerRoles returns the cluster roles used by controllers

test/testdata/bootstrappolicy/bootstrap_cluster_role_bindings.yaml

@@ -1012,6 +1012,21 @@ items:
   - kind: ServiceAccount
     name: template-service-broker
     namespace: openshift-infra
+- apiVersion: rbac.authorization.k8s.io/v1beta1
+  kind: ClusterRoleBinding
+  metadata:
+    annotations:
+      rbac.authorization.kubernetes.io/autoupdate: "true"
+    creationTimestamp: null
+    name: system:openshift:controller:pvc-protection-controller
+  roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: ClusterRole
+    name: system:openshift:controller:pvc-protection-controller
+  subjects:
+  - kind: ServiceAccount
+    name: pvc-protection-controller
+    namespace: openshift-infra
 - apiVersion: rbac.authorization.k8s.io/v1beta1
   kind: ClusterRoleBinding
   metadata:

test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml

@@ -3911,6 +3911,40 @@ items:
     - create
     - patch
     - update
+- apiVersion: rbac.authorization.k8s.io/v1beta1
+  kind: ClusterRole
+  metadata:
+    annotations:
+      authorization.openshift.io/system-only: "true"
+      rbac.authorization.kubernetes.io/autoupdate: "true"
+    creationTimestamp: null
+    name: system:openshift:controller:pvc-protection-controller
+  rules:
+  - apiGroups:
+    - ""
+    resources:
+    - persistentvolumeclaims
+    verbs:
+    - get
+    - list
+    - update
+    - watch
+  - apiGroups:
+    - ""
+    resources:
+    - pods
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - ""
+    resources:
+    - events
+    verbs:
+    - create
+    - patch
+    - update
 - apiVersion: rbac.authorization.k8s.io/v1beta1
   kind: ClusterRole
   metadata:

test/testdata/bootstrappolicy/bootstrap_policy_file.yaml

@@ -4276,6 +4276,43 @@ items:
     - create
     - patch
     - update
+- apiVersion: v1
+  kind: ClusterRole
+  metadata:
+    annotations:
+      authorization.openshift.io/system-only: "true"
+      openshift.io/reconcile-protect: "false"
+    creationTimestamp: null
+    name: system:openshift:controller:pvc-protection-controller
+  rules:
+  - apiGroups:
+    - ""
+    attributeRestrictions: null
+    resources:
+    - persistentvolumeclaims
+    verbs:
+    - get
+    - list
+    - update
+    - watch
+  - apiGroups:
+    - ""
+    attributeRestrictions: null
+    resources:
+    - pods
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - ""
+    attributeRestrictions: null
+    resources:
+    - events
+    verbs:
+    - create
+    - patch
+    - update
 - apiVersion: v1
   kind: ClusterRole
   metadata:
@@ -7455,6 +7492,22 @@ items:
     namespace: openshift-infra
   userNames:
   - system:serviceaccount:openshift-infra:template-service-broker
+- apiVersion: v1
+  groupNames: null
+  kind: ClusterRoleBinding
+  metadata:
+    annotations:
+      openshift.io/reconcile-protect: "false"
+    creationTimestamp: null
+    name: system:openshift:controller:pvc-protection-controller
+  roleRef:
+    name: system:openshift:controller:pvc-protection-controller
+  subjects:
+  - kind: ServiceAccount
+    name: pvc-protection-controller
+    namespace: openshift-infra
+  userNames:
+  - system:serviceaccount:openshift-infra:pvc-protection-controller
 - apiVersion: v1
   groupNames:
   - system:masters