1# Do not edit, downloaded from https://github.com/kubernetes-csi/external-health-monitor/raw/v0.11.0/deploy/kubernetes/external-health-monitor-controller/rbac.yaml
2# for csi-driver-host-path release-1.13
3# by ./update-hostpath.sh
4#
5# This YAML file contains all RBAC objects that are necessary to run external
6# CSI health monitor controller.
7#
8# In production, each CSI driver deployment has to be customized:
9# - to avoid conflicts, use non-default namespace and different names
10# for non-namespaced entities like the ClusterRole
11# - decide whether the deployment replicates the external CSI
12# health monitor controller, in which case leadership election must be enabled;
13# this influences the RBAC setup, see below
14
15apiVersion: v1
16kind: ServiceAccount
17metadata:
18 name: csi-external-health-monitor-controller
19 # replace with non-default namespace name
20 namespace: default
21
22---
23# Health monitor controller must be able to work with PVs, PVCs, Nodes and Pods
24kind: ClusterRole
25apiVersion: rbac.authorization.k8s.io/v1
26metadata:
27 name: external-health-monitor-controller-runner
28rules:
29 - apiGroups: [""]
30 resources: ["persistentvolumes"]
31 verbs: ["get", "list", "watch"]
32 - apiGroups: [""]
33 resources: ["persistentvolumeclaims"]
34 verbs: ["get", "list", "watch"]
35 - apiGroups: [""]
36 resources: ["nodes"]
37 verbs: ["get", "list", "watch"]
38 - apiGroups: [""]
39 resources: ["pods"]
40 verbs: ["get", "list", "watch"]
41 - apiGroups: [""]
42 resources: ["events"]
43 verbs: ["get", "list", "watch", "create", "patch"]
44
45---
46kind: ClusterRoleBinding
47apiVersion: rbac.authorization.k8s.io/v1
48metadata:
49 name: csi-external-health-monitor-controller-role
50subjects:
51 - kind: ServiceAccount
52 name: csi-external-health-monitor-controller
53 # replace with non-default namespace name
54 namespace: default
55roleRef:
56 kind: ClusterRole
57 name: external-health-monitor-controller-runner
58 apiGroup: rbac.authorization.k8s.io
59
60---
61# Health monitor controller must be able to work with configmaps or leases in the current namespace
62# if (and only if) leadership election is enabled
63kind: Role
64apiVersion: rbac.authorization.k8s.io/v1
65metadata:
66 # replace with non-default namespace name
67 namespace: default
68 name: external-health-monitor-controller-cfg
69rules:
70- apiGroups: ["coordination.k8s.io"]
71 resources: ["leases"]
72 verbs: ["get", "watch", "list", "delete", "update", "create"]
73
74---
75kind: RoleBinding
76apiVersion: rbac.authorization.k8s.io/v1
77metadata:
78 name: csi-external-health-monitor-controller-role-cfg
79 # replace with non-default namespace name
80 namespace: default
81subjects:
82 - kind: ServiceAccount
83 name: csi-external-health-monitor-controller
84 # replace with non-default namespace name
85 namespace: default
86roleRef:
87 kind: Role
88 name: external-health-monitor-controller-cfg
89 apiGroup: rbac.authorization.k8s.io
View as plain text