首页 发现 帮助
登录
tzeneto
/
custom-kube-scheduler
关注 1
点赞 0
派生 0
文件 工单管理 0 合并请求 0 Wiki
目录树: 5afdb25efe
分支列表 标签列表
custom-kube-...
/
kubernetes-v1.15.4
/
test
/
e2e
/
testing-manifests
/
storage-csi
/
external-attacher
/
rbac.yaml

rbac.yaml 2.2 KB
文件历史 原始文件

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283 
  1. # This YAML file contains all RBAC objects that are necessary to run external
    2. 

  2. # CSI attacher.
    3. 

  3. #
    4. 

  4. # In production, each CSI driver deployment has to be customized:
    5. 

  5. # - to avoid conflicts, use non-default namespace and different names
    6. 

  6. #   for non-namespaced entities like the ClusterRole
    7. 

  7. # - decide whether the deployment replicates the external CSI
    8. 

  8. #   attacher, in which case leadership election must be enabled;
    9. 

  9. #   this influences the RBAC setup, see below
    10. 

  10. 

  11. apiVersion: v1
    12. 

  12. kind: ServiceAccount
    13. 

  13. metadata:
    14. 

  14.   name: csi-attacher
    15. 

  15.   # replace with non-default namespace name
    16. 

  16.   namespace: default
    17. 

  17. 

  18. ---
    19. 

  19. # Attacher must be able to work with PVs, nodes and VolumeAttachments
    20. 

  20. kind: ClusterRole
    21. 

  21. apiVersion: rbac.authorization.k8s.io/v1
    22. 

  22. metadata:
    23. 

  23.   name: external-attacher-runner
    24. 

  24. rules:
    25. 

  25.   - apiGroups: [""]
    26. 

  26.     resources: ["persistentvolumes"]
    27. 

  27.     verbs: ["get", "list", "watch", "update"]
    28. 

  28.   - apiGroups: [""]
    29. 

  29.     resources: ["nodes"]
    30. 

  30.     verbs: ["get", "list", "watch"]
    31. 

  31.   - apiGroups: ["csi.storage.k8s.io"]
    32. 

  32.     resources: ["csinodeinfos"]
    33. 

  33.     verbs: ["get", "list", "watch"]
    34. 

  34.   - apiGroups: ["storage.k8s.io"]
    35. 

  35.     resources: ["volumeattachments"]
    36. 

  36.     verbs: ["get", "list", "watch", "update"]
    37. 

  37. 

  38. ---
    39. 

  39. kind: ClusterRoleBinding
    40. 

  40. apiVersion: rbac.authorization.k8s.io/v1
    41. 

  41. metadata:
    42. 

  42.   name: csi-attacher-role
    43. 

  43. subjects:
    44. 

  44.   - kind: ServiceAccount
    45. 

  45.     name: csi-attacher
    46. 

  46.     # replace with non-default namespace name
    47. 

  47.     namespace: default
    48. 

  48. roleRef:
    49. 

  49.   kind: ClusterRole
    50. 

  50.   name: external-attacher-runner
    51. 

  51.   apiGroup: rbac.authorization.k8s.io
    52. 

  52. 

  53. ---
    54. 

  54. # Attacher must be able to work with config map in current namespace
    55. 

  55. # if (and only if) leadership election is enabled
    56. 

  56. kind: Role
    57. 

  57. apiVersion: rbac.authorization.k8s.io/v1
    58. 

  58. metadata:
    59. 

  59.   # replace with non-default namespace name
    60. 

  60.   namespace: default
    61. 

  61.   name: external-attacher-cfg
    62. 

  62. rules:
    63. 

  63. - apiGroups: [""]
    64. 

  64.   resources: ["configmaps"]
    65. 

  65.   verbs: ["get", "watch", "list", "delete", "update", "create"]
    66. 

  66. 

  67. ---
    68. 

  68. kind: RoleBinding
    69. 

  69. apiVersion: rbac.authorization.k8s.io/v1
    70. 

  70. metadata:
    71. 

  71.   name: csi-attacher-role-cfg
    72. 

  72.   # replace with non-default namespace name
    73. 

  73.   namespace: default
    74. 

  74. subjects:
    75. 

  75.   - kind: ServiceAccount
    76. 

  76.     name: csi-attacher
    77. 

  77.     # replace with non-default namespace name
    78. 

  78.     namespace: default
    79. 

  79. roleRef:
    80. 

  80.   kind: Role
    81. 

  81.   name: external-attacher-cfg
    82. 

  82.   apiGroup: rbac.authorization.k8s.io
    83. 

  83.