...

Text file src/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/external-attacher/rbac.yaml

Documentation: k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/external-attacher

     1# Do not edit, downloaded from https://github.com/kubernetes-csi/external-attacher/raw/v4.5.0/deploy/kubernetes//rbac.yaml
     2# for csi-driver-host-path release-1.13
     3# by ./update-hostpath.sh
     4#
     5# This YAML file contains all RBAC objects that are necessary to run external
     6# CSI attacher.
     7#
     8# In production, each CSI driver deployment has to be customized:
     9# - to avoid conflicts, use non-default namespace and different names
    10#   for non-namespaced entities like the ClusterRole
    11# - decide whether the deployment replicates the external CSI
    12#   attacher, in which case leadership election must be enabled;
    13#   this influences the RBAC setup, see below
    14
    15apiVersion: v1
    16kind: ServiceAccount
    17metadata:
    18  name: csi-attacher
    19  # replace with non-default namespace name
    20  namespace: default
    21
    22---
    23# Attacher must be able to work with PVs, CSINodes and VolumeAttachments
    24kind: ClusterRole
    25apiVersion: rbac.authorization.k8s.io/v1
    26metadata:
    27  name: external-attacher-runner
    28rules:
    29  - apiGroups: [""]
    30    resources: ["persistentvolumes"]
    31    verbs: ["get", "list", "watch", "patch"]
    32  - apiGroups: ["storage.k8s.io"]
    33    resources: ["csinodes"]
    34    verbs: ["get", "list", "watch"]
    35  - apiGroups: ["storage.k8s.io"]
    36    resources: ["volumeattachments"]
    37    verbs: ["get", "list", "watch", "patch"]
    38  - apiGroups: ["storage.k8s.io"]
    39    resources: ["volumeattachments/status"]
    40    verbs: ["patch"]
    41#Secret permission is optional.
    42#Enable it if you need value from secret.
    43#For example, you have key `csi.storage.k8s.io/controller-publish-secret-name` in StorageClass.parameters
    44#see https://kubernetes-csi.github.io/docs/secrets-and-credentials.html
    45#  - apiGroups: [""]
    46#    resources: ["secrets"]
    47#    verbs: ["get", "list"]
    48
    49---
    50kind: ClusterRoleBinding
    51apiVersion: rbac.authorization.k8s.io/v1
    52metadata:
    53  name: csi-attacher-role
    54subjects:
    55  - kind: ServiceAccount
    56    name: csi-attacher
    57    # replace with non-default namespace name
    58    namespace: default
    59roleRef:
    60  kind: ClusterRole
    61  name: external-attacher-runner
    62  apiGroup: rbac.authorization.k8s.io
    63
    64---
    65# Attacher must be able to work with configmaps or leases in the current namespace
    66# if (and only if) leadership election is enabled
    67kind: Role
    68apiVersion: rbac.authorization.k8s.io/v1
    69metadata:
    70  # replace with non-default namespace name
    71  namespace: default
    72  name: external-attacher-cfg
    73rules:
    74- apiGroups: ["coordination.k8s.io"]
    75  resources: ["leases"]
    76  verbs: ["get", "watch", "list", "delete", "update", "create"]
    77
    78---
    79kind: RoleBinding
    80apiVersion: rbac.authorization.k8s.io/v1
    81metadata:
    82  name: csi-attacher-role-cfg
    83  # replace with non-default namespace name
    84  namespace: default
    85subjects:
    86  - kind: ServiceAccount
    87    name: csi-attacher
    88    # replace with non-default namespace name
    89    namespace: default
    90roleRef:
    91  kind: Role
    92  name: external-attacher-cfg
    93  apiGroup: rbac.authorization.k8s.io

View as plain text