| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104 |
- # This YAML file contains all RBAC objects that are necessary to run external
- # CSI provisioner.
- #
- # In production, each CSI driver deployment has to be customized:
- # - to avoid conflicts, use non-default namespace and different names
- # for non-namespaced entities like the ClusterRole
- # - decide whether the deployment replicates the external CSI
- # provisioner, in which case leadership election must be enabled;
- # this influences the RBAC setup, see below
- apiVersion: v1
- kind: ServiceAccount
- metadata:
- name: csi-provisioner
- # replace with non-default namespace name
- namespace: default
- ---
- kind: ClusterRole
- apiVersion: rbac.authorization.k8s.io/v1
- metadata:
- name: external-provisioner-runner
- rules:
- # The following rule should be uncommented for plugins that require secrets
- # for provisioning.
- # - apiGroups: [""]
- # resources: ["secrets"]
- # verbs: ["get", "list"]
- - apiGroups: [""]
- resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "create", "delete"]
- - apiGroups: [""]
- resources: ["persistentvolumeclaims"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: ["storage.k8s.io"]
- resources: ["storageclasses"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["events"]
- verbs: ["list", "watch", "create", "update", "patch"]
- - apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshots"]
- verbs: ["get", "list"]
- - apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents"]
- verbs: ["get", "list"]
- - apiGroups: ["storage.k8s.io"]
- resources: ["csinodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- ---
- kind: ClusterRoleBinding
- apiVersion: rbac.authorization.k8s.io/v1
- metadata:
- name: csi-provisioner-role
- subjects:
- - kind: ServiceAccount
- name: csi-provisioner
- # replace with non-default namespace name
- namespace: default
- roleRef:
- kind: ClusterRole
- name: external-provisioner-runner
- apiGroup: rbac.authorization.k8s.io
- ---
- # Provisioner must be able to work with endpoints in current namespace
- # if (and only if) leadership election is enabled
- kind: Role
- apiVersion: rbac.authorization.k8s.io/v1
- metadata:
- # replace with non-default namespace name
- namespace: default
- name: external-provisioner-cfg
- rules:
- # Only one of the following rules for endpoints or leases is required based on
- # what is set for `--leader-election-type`. Endpoints are deprecated in favor of Leases.
- - apiGroups: [""]
- resources: ["endpoints"]
- verbs: ["get", "watch", "list", "delete", "update", "create"]
- - apiGroups: ["coordination.k8s.io"]
- resources: ["leases"]
- verbs: ["get", "watch", "list", "delete", "update", "create"]
- ---
- kind: RoleBinding
- apiVersion: rbac.authorization.k8s.io/v1
- metadata:
- name: csi-provisioner-role-cfg
- # replace with non-default namespace name
- namespace: default
- subjects:
- - kind: ServiceAccount
- name: csi-provisioner
- # replace with non-default namespace name
- namespace: default
- roleRef:
- kind: Role
- name: external-provisioner-cfg
- apiGroup: rbac.authorization.k8s.io
|
