...
1# Do not edit, downloaded from https://github.com/kubernetes-csi/external-attacher/raw/v4.5.0/deploy/kubernetes//rbac.yaml
2# for csi-driver-host-path release-1.13
3# by ./update-hostpath.sh
4#
5# This YAML file contains all RBAC objects that are necessary to run external
6# CSI attacher.
7#
8# In production, each CSI driver deployment has to be customized:
9# - to avoid conflicts, use non-default namespace and different names
10# for non-namespaced entities like the ClusterRole
11# - decide whether the deployment replicates the external CSI
12# attacher, in which case leadership election must be enabled;
13# this influences the RBAC setup, see below
14
15apiVersion: v1
16kind: ServiceAccount
17metadata:
18 name: csi-attacher
19 # replace with non-default namespace name
20 namespace: default
21
22---
23# Attacher must be able to work with PVs, CSINodes and VolumeAttachments
24kind: ClusterRole
25apiVersion: rbac.authorization.k8s.io/v1
26metadata:
27 name: external-attacher-runner
28rules:
29 - apiGroups: [""]
30 resources: ["persistentvolumes"]
31 verbs: ["get", "list", "watch", "patch"]
32 - apiGroups: ["storage.k8s.io"]
33 resources: ["csinodes"]
34 verbs: ["get", "list", "watch"]
35 - apiGroups: ["storage.k8s.io"]
36 resources: ["volumeattachments"]
37 verbs: ["get", "list", "watch", "patch"]
38 - apiGroups: ["storage.k8s.io"]
39 resources: ["volumeattachments/status"]
40 verbs: ["patch"]
41#Secret permission is optional.
42#Enable it if you need value from secret.
43#For example, you have key `csi.storage.k8s.io/controller-publish-secret-name` in StorageClass.parameters
44#see https://kubernetes-csi.github.io/docs/secrets-and-credentials.html
45# - apiGroups: [""]
46# resources: ["secrets"]
47# verbs: ["get", "list"]
48
49---
50kind: ClusterRoleBinding
51apiVersion: rbac.authorization.k8s.io/v1
52metadata:
53 name: csi-attacher-role
54subjects:
55 - kind: ServiceAccount
56 name: csi-attacher
57 # replace with non-default namespace name
58 namespace: default
59roleRef:
60 kind: ClusterRole
61 name: external-attacher-runner
62 apiGroup: rbac.authorization.k8s.io
63
64---
65# Attacher must be able to work with configmaps or leases in the current namespace
66# if (and only if) leadership election is enabled
67kind: Role
68apiVersion: rbac.authorization.k8s.io/v1
69metadata:
70 # replace with non-default namespace name
71 namespace: default
72 name: external-attacher-cfg
73rules:
74- apiGroups: ["coordination.k8s.io"]
75 resources: ["leases"]
76 verbs: ["get", "watch", "list", "delete", "update", "create"]
77
78---
79kind: RoleBinding
80apiVersion: rbac.authorization.k8s.io/v1
81metadata:
82 name: csi-attacher-role-cfg
83 # replace with non-default namespace name
84 namespace: default
85subjects:
86 - kind: ServiceAccount
87 name: csi-attacher
88 # replace with non-default namespace name
89 namespace: default
90roleRef:
91 kind: Role
92 name: external-attacher-cfg
93 apiGroup: rbac.authorization.k8s.io
View as plain text