Home Explore Help
Sign In
tzeneto
/
custom-kube-scheduler
Watch 1
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: b9b304b401
Branches Tags
custom-kube-...
/
kubernetes
/
test
/
e2e
/
testing-manifests
/
storage-csi
/
external-resizer
/
rbac.yaml

rbac.yaml 2.4 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788 
  1. # This YAML file contains all RBAC objects that are necessary to run external
    2. 

  2. # CSI resizer.
    3. 

  3. #
    4. 

  4. # In production, each CSI driver deployment has to be customized:
    5. 

  5. # - to avoid conflicts, use non-default namespace and different names
    6. 

  6. #   for non-namespaced entities like the ClusterRole
    7. 

  7. # - decide whether the deployment replicates the external CSI
    8. 

  8. #   resizer, in which case leadership election must be enabled;
    9. 

  9. #   this influences the RBAC setup, see below
    10. 

  10. 

  11. apiVersion: v1
    12. 

  12. kind: ServiceAccount
    13. 

  13. metadata:
    14. 

  14.   name: csi-resizer
    15. 

  15.   # replace with non-default namespace name
    16. 

  16.   namespace: default
    17. 

  17. 

  18. ---
    19. 

  19. # Resizer must be able to work with PVCs, PVs, SCs.
    20. 

  20. kind: ClusterRole
    21. 

  21. apiVersion: rbac.authorization.k8s.io/v1
    22. 

  22. metadata:
    23. 

  23.   name: external-resizer-runner
    24. 

  24. rules:
    25. 

  25.   # The following rule should be uncommented for plugins that require secrets
    26. 

  26.   # for provisioning.
    27. 

  27.   # - apiGroups: [""]
    28. 

  28.   #   resources: ["secrets"]
    29. 

  29.   #   verbs: ["get", "list", "watch"]
    30. 

  30.   - apiGroups: [""]
    31. 

  31.     resources: ["persistentvolumes"]
    32. 

  32.     verbs: ["get", "list", "watch", "update", "patch"]
    33. 

  33.   - apiGroups: [""]
    34. 

  34.     resources: ["persistentvolumeclaims"]
    35. 

  35.     verbs: ["get", "list", "watch"]
    36. 

  36.   - apiGroups: [""]
    37. 

  37.     resources: ["persistentvolumeclaims/status"]
    38. 

  38.     verbs: ["update", "patch"]
    39. 

  39.   - apiGroups: [""]
    40. 

  40.     resources: ["events"]
    41. 

  41.     verbs: ["list", "watch", "create", "update", "patch"]
    42. 

  42. 

  43. ---
    44. 

  44. kind: ClusterRoleBinding
    45. 

  45. apiVersion: rbac.authorization.k8s.io/v1
    46. 

  46. metadata:
    47. 

  47.   name: csi-resizer-role
    48. 

  48. subjects:
    49. 

  49.   - kind: ServiceAccount
    50. 

  50.     name: csi-resizer
    51. 

  51.     # replace with non-default namespace name
    52. 

  52.     namespace: default
    53. 

  53. roleRef:
    54. 

  54.   kind: ClusterRole
    55. 

  55.   name: external-resizer-runner
    56. 

  56.   apiGroup: rbac.authorization.k8s.io
    57. 

  57. 

  58. ---
    59. 

  59. # Resizer must be able to work with end point in current namespace
    60. 

  60. # if (and only if) leadership election is enabled
    61. 

  61. kind: Role
    62. 

  62. apiVersion: rbac.authorization.k8s.io/v1
    63. 

  63. metadata:
    64. 

  64.   # replace with non-default namespace name
    65. 

  65.   namespace: default
    66. 

  66.   name: external-resizer-cfg
    67. 

  67. rules:
    68. 

  68. - apiGroups: ["coordination.k8s.io"]
    69. 

  69.   resources: ["leases"]
    70. 

  70.   verbs: ["get", "watch", "list", "delete", "update", "create"]
    71. 

  71. 

  72. ---
    73. 

  73. kind: RoleBinding
    74. 

  74. apiVersion: rbac.authorization.k8s.io/v1
    75. 

  75. metadata:
    76. 

  76.   name: csi-resizer-role-cfg
    77. 

  77.   # replace with non-default namespace name
    78. 

  78.   namespace: default
    79. 

  79. subjects:
    80. 

  80.   - kind: ServiceAccount
    81. 

  81.     name: csi-resizer
    82. 

  82.     # replace with non-default namespace name
    83. 

  83.     namespace: default
    84. 

  84. roleRef:
    85. 

  85.   kind: Role
    86. 

  86.   name: external-resizer-cfg
    87. 

  87.   apiGroup: rbac.authorization.k8s.io
    88. 

  88.