Merge pull request kubernetes#39544 from foxish/fix-rbac-disruption

Automatic merge from submit-queue (batch tested with PRs 39544, 39552, 39553)

Allow disruption controller to read statefulsets

**What this PR does / why we need it**: Disruption controller was unable to list/watch statefulsets when RBAC is enabled because it wasn't granted permission.

**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes kubernetes#39541

cc @mwielgus

Author: Kubernetes Submit Queue

plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go

@@ -108,6 +108,7 @@ func init() {
 			rbac.NewRule("get", "list", "watch").Groups(extensionsGroup).Resources("replicasets").RuleOrDie(),
 			rbac.NewRule("get", "list", "watch").Groups(legacyGroup).Resources("replicationcontrollers").RuleOrDie(),
 			rbac.NewRule("get", "list", "watch").Groups(policyGroup).Resources("poddisruptionbudgets").RuleOrDie(),
+			rbac.NewRule("get", "list", "watch").Groups(appsGroup).Resources("statefulsets").RuleOrDie(),
 			rbac.NewRule("update").Groups(policyGroup).Resources("poddisruptionbudgets/status").RuleOrDie(),
 			eventsRule(),
 		},

plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml

@@ -263,6 +263,15 @@ items:
     - get
     - list
     - watch
+  - apiGroups:
+    - apps
+    attributeRestrictions: null
+    resources:
+    - statefulsets
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - policy
     attributeRestrictions: null