Merge pull request #18971 from enj/enj/i/disable_daemonset_carry/1536…

…304,1501514

Automatic merge from submit-queue.

UPSTREAM: <carry>: Remove write permissions on daemonsets from Kubernetes bootstrap policy

Due to how daemonsets interact with the project node selector, we need to limit write access to them to the cluster admin.

Bug 1536304
Bug 1501514

Signed-off-by: Monis Khan <mkhan@redhat.com>

/kind bug
/assign @liggitt @deads2k @simo5 @smarterclayton
@openshift/sig-security

/cherrypick release-3.9

test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml

@@ -4857,7 +4857,6 @@ items:
   - apiGroups:
     - apps
     resources:
-    - daemonsets
     - deployments
     - deployments/rollback
     - deployments/scale
@@ -4873,6 +4872,14 @@ items:
     - patch
     - update
     - watch
+  - apiGroups:
+    - apps
+    resources:
+    - daemonsets
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - autoscaling
     resources:
@@ -4903,7 +4910,6 @@ items:
   - apiGroups:
     - extensions
     resources:
-    - daemonsets
     - deployments
     - deployments/rollback
     - deployments/scale
@@ -4920,6 +4926,14 @@ items:
     - patch
     - update
     - watch
+  - apiGroups:
+    - extensions
+    resources:
+    - daemonsets
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - policy
     resources:
@@ -5036,7 +5050,6 @@ items:
   - apiGroups:
     - apps
     resources:
-    - daemonsets
     - deployments
     - deployments/rollback
     - deployments/scale
@@ -5052,6 +5065,14 @@ items:
     - patch
     - update
     - watch
+  - apiGroups:
+    - apps
+    resources:
+    - daemonsets
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - autoscaling
     resources:
@@ -5082,7 +5103,6 @@ items:
   - apiGroups:
     - extensions
     resources:
-    - daemonsets
     - deployments
     - deployments/rollback
     - deployments/scale
@@ -5099,6 +5119,14 @@ items:
     - patch
     - update
     - watch
+  - apiGroups:
+    - extensions
+    resources:
+    - daemonsets
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - policy
     resources:

test/testdata/bootstrappolicy/bootstrap_policy_file.yaml

@@ -5319,7 +5319,6 @@ items:
     - apps
     attributeRestrictions: null
     resources:
-    - daemonsets
     - deployments
     - deployments/rollback
     - deployments/scale
@@ -5335,6 +5334,15 @@ items:
     - patch
     - update
     - watch
+  - apiGroups:
+    - apps
+    attributeRestrictions: null
+    resources:
+    - daemonsets
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - autoscaling
     attributeRestrictions: null
@@ -5368,7 +5376,6 @@ items:
     - extensions
     attributeRestrictions: null
     resources:
-    - daemonsets
     - deployments
     - deployments/rollback
     - deployments/scale
@@ -5385,6 +5392,15 @@ items:
     - patch
     - update
     - watch
+  - apiGroups:
+    - extensions
+    attributeRestrictions: null
+    resources:
+    - daemonsets
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - policy
     attributeRestrictions: null
@@ -5510,7 +5526,6 @@ items:
     - apps
     attributeRestrictions: null
     resources:
-    - daemonsets
     - deployments
     - deployments/rollback
     - deployments/scale
@@ -5526,6 +5541,15 @@ items:
     - patch
     - update
     - watch
+  - apiGroups:
+    - apps
+    attributeRestrictions: null
+    resources:
+    - daemonsets
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - autoscaling
     attributeRestrictions: null
@@ -5559,7 +5583,6 @@ items:
     - extensions
     attributeRestrictions: null
     resources:
-    - daemonsets
     - deployments
     - deployments/rollback
     - deployments/scale
@@ -5576,6 +5599,15 @@ items:
     - patch
     - update
     - watch
+  - apiGroups:
+    - extensions
+    attributeRestrictions: null
+    resources:
+    - daemonsets
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - policy
     attributeRestrictions: null