apiVersion: v1
kind: ServiceAccount
metadata:
  name: csi-controller-sa

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: csi-controller-attacher-role
subjects:
  - kind: ServiceAccount
    name: csi-controller-sa
    namespace: default
roleRef:
  kind: ClusterRole
  name: external-attacher-runner
  apiGroup: rbac.authorization.k8s.io

---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: csi-controller-attacher-role-cfg
  namespace: default
subjects:
  - kind: ServiceAccount
    name: csi-controller-sa
    namespace: default
roleRef:
  kind: Role
  name: external-attacher-cfg

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: csi-controller-provisioner-role
subjects:
  - kind: ServiceAccount
    name: csi-controller-sa
    namespace: default
roleRef:
  kind: ClusterRole
  name: external-provisioner-runner
  apiGroup: rbac.authorization.k8s.io

---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: csi-controller-provisioner-role-cfg
  namespace: default
subjects:
  - kind: ServiceAccount
    name: csi-controller-sa
    namespace: default
roleRef:
  kind: Role
  name: external-provisioner-cfg

---
# priviledged Pod Security Policy, previously defined via PrivilegedTestPSPClusterRoleBinding()
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: psp-csi-controller-driver-registrar-role
subjects:
  - kind: ServiceAccount
    name: csi-controller-sa
    namespace: default
  - kind: ServiceAccount
    name: csi-node-sa
    namespace: default
roleRef:
  kind: ClusterRole
  name: e2e-test-privileged-psp
  apiGroup: rbac.authorization.k8s.io