allow image-puller role to read image signatures

openshift · Sep 14, 2017 · fa7a498 · fa7a498
1 parent 3fddedc
commit fa7a498
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/pkg/cmd/server/bootstrappolicy/policy.go b/pkg/cmd/server/bootstrappolicy/policy.go
@@ -533,6 +533,8 @@ func GetOpenshiftBootstrapClusterRoles() []rbac.ClusterRole {
 			Rules: []rbac.PolicyRule{
 				// pull images
 				rbac.NewRule("get").Groups(imageGroup, legacyImageGroup).Resources("imagestreams/layers").RuleOrDie(),
+				// read signatures
+				rbac.NewRule("get").Groups(imageGroup, legacyImageGroup).Resources("imagesignatures").RuleOrDie(),
 			},
 		},
 		{

diff --git a/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml b/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml
@@ -1755,6 +1755,13 @@ items:
     - imagestreams/layers
     verbs:
     - get
+  - apiGroups:
+    - ""
+    - image.openshift.io
+    resources:
+    - imagesignatures
+    verbs:
+    - get
 - apiVersion: rbac.authorization.k8s.io/v1beta1
   kind: ClusterRole
   metadata: