Merge pull request #133740 from pacoxu/add-events-group-view

add events.events.k8s.io to clusterrole view/edit default
2026-02-18 18:28:18 -05:00 · 2025-09-03 08:45:15 -07:00 · 2025-09-03 08:45:15 -07:00 · 529f147dfc
commit 529f147dfc
parent 5dff07fdf9 ef7cee89bf
3 changed files with 49 additions and 7 deletions
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
@ -112,12 +112,14 @@ func viewRules() []rbacv1.PolicyRule {
 	rules := []rbacv1.PolicyRule{
 		rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("pods", "replicationcontrollers", "replicationcontrollers/scale", "serviceaccounts",
 			"services", "services/status", "endpoints", "persistentvolumeclaims", "persistentvolumeclaims/status", "configmaps").RuleOrDie(),
-		rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("limitranges", "resourcequotas", "bindings", "events",
+		rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("limitranges", "resourcequotas", "bindings",
 			"pods/status", "resourcequotas/status", "namespaces/status", "replicationcontrollers/status", "pods/log").RuleOrDie(),
 		// read access to namespaces at the namespace scope means you can read *this* namespace.  This can be used as an
 		// indicator of which namespaces you have access to.
 		rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("namespaces").RuleOrDie(),

+		rbacv1helpers.NewRule(Read...).Groups(legacyGroup, eventsGroup).Resources("events").RuleOrDie(),
+
 		rbacv1helpers.NewRule(Read...).Groups(discoveryGroup).Resources("endpointslices").RuleOrDie(),

 		rbacv1helpers.NewRule(Read...).Groups(appsGroup).Resources(
@ -155,9 +157,11 @@ func editRules() []rbacv1.PolicyRule {
 		rbacv1helpers.NewRule(Write...).Groups(legacyGroup).Resources("pods", "pods/attach", "pods/proxy", "pods/exec", "pods/portforward").RuleOrDie(),
 		rbacv1helpers.NewRule("create").Groups(legacyGroup).Resources("pods/eviction").RuleOrDie(),
 		rbacv1helpers.NewRule(Write...).Groups(legacyGroup).Resources("replicationcontrollers", "replicationcontrollers/scale", "serviceaccounts",
-			"services", "services/proxy", "persistentvolumeclaims", "configmaps", "secrets", "events").RuleOrDie(),
+			"services", "services/proxy", "persistentvolumeclaims", "configmaps", "secrets").RuleOrDie(),
 		rbacv1helpers.NewRule("create").Groups(legacyGroup).Resources("serviceaccounts/token").RuleOrDie(),

+		rbacv1helpers.NewRule(Write...).Groups(legacyGroup, eventsGroup).Resources("events").RuleOrDie(),
+
 		rbacv1helpers.NewRule(Write...).Groups(appsGroup).Resources(
 			"statefulsets", "statefulsets/scale",
 			"daemonsets",
@ -202,7 +206,7 @@ func NodeRules() []rbacv1.PolicyRule {
 		rbacv1helpers.NewRule("update", "patch").Groups(legacyGroup).Resources("nodes").RuleOrDie(),

 		// TODO: restrict to the bound node as creator in the NodeRestrictions admission plugin
-		rbacv1helpers.NewRule("create", "update", "patch").Groups(legacyGroup).Resources("events").RuleOrDie(),
+		rbacv1helpers.NewRule("create", "update", "patch").Groups(legacyGroup, eventsGroup).Resources("events").RuleOrDie(),

 		// Use the Node authorizer to limit get to pods related to the node, and to limit list/watch to field selectors related to the node.
 		rbacv1helpers.NewRule(Read...).Groups(legacyGroup).Resources("pods").RuleOrDie(),
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles-featuregates.yaml
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles-featuregates.yaml
@ -129,7 +129,6 @@ items:
    - ""
    resources:
    - configmaps
-    - events
    - persistentvolumeclaims
    - replicationcontrollers
    - replicationcontrollers/scale
@ -149,6 +148,17 @@ items:
    - serviceaccounts/token
    verbs:
    - create
+  - apiGroups:
+    - ""
+    - events.k8s.io
+    resources:
+    - events
+    verbs:
+    - create
+    - delete
+    - deletecollection
+    - patch
+    - update
  - apiGroups:
    - apps
    resources:
@ -281,7 +291,6 @@ items:
    - ""
    resources:
    - bindings
-    - events
    - limitranges
    - namespaces/status
    - pods/log
@ -301,6 +310,15 @@ items:
    - get
    - list
    - watch
+  - apiGroups:
+    - ""
+    - events.k8s.io
+    resources:
+    - events
+    verbs:
+    - get
+    - list
+    - watch
  - apiGroups:
    - discovery.k8s.io
    resources:
@ -1087,6 +1105,7 @@ items:
    - update
  - apiGroups:
    - ""
+    - events.k8s.io
    resources:
    - events
    verbs:
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
@ -129,7 +129,6 @@ items:
    - ""
    resources:
    - configmaps
-    - events
    - persistentvolumeclaims
    - replicationcontrollers
    - replicationcontrollers/scale
@ -149,6 +148,17 @@ items:
    - serviceaccounts/token
    verbs:
    - create
+  - apiGroups:
+    - ""
+    - events.k8s.io
+    resources:
+    - events
+    verbs:
+    - create
+    - delete
+    - deletecollection
+    - patch
+    - update
  - apiGroups:
    - apps
    resources:
@ -281,7 +291,6 @@ items:
    - ""
    resources:
    - bindings
-    - events
    - limitranges
    - namespaces/status
    - pods/log
@ -301,6 +310,15 @@ items:
    - get
    - list
    - watch
+  - apiGroups:
+    - ""
+    - events.k8s.io
+    resources:
+    - events
+    verbs:
+    - get
+    - list
+    - watch
  - apiGroups:
    - discovery.k8s.io
    resources:
@ -1047,6 +1065,7 @@ items:
    - update
  - apiGroups:
    - ""
+    - events.k8s.io
    resources:
    - events
    verbs: