Text file src/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/external-provisioner/rbac.yaml

Documentation: k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/external-provisioner

     1# Do not edit, downloaded from https://github.com/kubernetes-csi/external-provisioner/raw/v4.0.0/deploy/kubernetes//rbac.yaml
     2# for csi-driver-host-path release-1.13
     3# by ./update-hostpath.sh
     4#
     5# This YAML file contains all RBAC objects that are necessary to run external
     6# CSI provisioner.
     7#
     8# In production, each CSI driver deployment has to be customized:
     9# - to avoid conflicts, use non-default namespace and different names
    10#   for non-namespaced entities like the ClusterRole
    11# - decide whether the deployment replicates the external CSI
    12#   provisioner, in which case leadership election must be enabled;
    13#   this influences the RBAC setup, see below
    14
    15apiVersion: v1
    16kind: ServiceAccount
    17metadata:
    18  name: csi-provisioner
    19  # replace with non-default namespace name
    20  namespace: default
    21
    22---
    23kind: ClusterRole
    24apiVersion: rbac.authorization.k8s.io/v1
    25metadata:
    26  name: external-provisioner-runner
    27rules:
    28  # The following rule should be uncommented for plugins that require secrets
    29  # for provisioning.
    30  # - apiGroups: [""]
    31  #   resources: ["secrets"]
    32  #   verbs: ["get", "list"]
    33  - apiGroups: [""]
    34    resources: ["persistentvolumes"]
    35    verbs: ["get", "list", "watch", "create", "delete"]
    36  - apiGroups: [""]
    37    resources: ["persistentvolumeclaims"]
    38    verbs: ["get", "list", "watch", "update"]
    39  - apiGroups: ["storage.k8s.io"]
    40    resources: ["storageclasses"]
    41    verbs: ["get", "list", "watch"]
    42  - apiGroups: [""]
    43    resources: ["events"]
    44    verbs: ["list", "watch", "create", "update", "patch"]
    45  - apiGroups: ["snapshot.storage.k8s.io"]
    46    resources: ["volumesnapshots"]
    47    verbs: ["get", "list"]
    48  - apiGroups: ["snapshot.storage.k8s.io"]
    49    resources: ["volumesnapshotcontents"]
    50    verbs: ["get", "list"]
    51  - apiGroups: ["storage.k8s.io"]
    52    resources: ["csinodes"]
    53    verbs: ["get", "list", "watch"]
    54  - apiGroups: [""]
    55    resources: ["nodes"]
    56    verbs: ["get", "list", "watch"]
    57  # Access to volumeattachments is only needed when the CSI driver
    58  # has the PUBLISH_UNPUBLISH_VOLUME controller capability.
    59  # In that case, external-provisioner will watch volumeattachments
    60  # to determine when it is safe to delete a volume.
    61  - apiGroups: ["storage.k8s.io"]
    62    resources: ["volumeattachments"]
    63    verbs: ["get", "list", "watch"]
    64  # (Alpha) Access to referencegrants is only needed when the CSI driver
    65  # has the CrossNamespaceVolumeDataSource controller capability.
    66  # In that case, external-provisioner requires "get", "list", "watch" 
    67  # permissions  for "referencegrants" on "gateway.networking.k8s.io".
    68  #- apiGroups: ["gateway.networking.k8s.io"]
    69  #  resources: ["referencegrants"]
    70  #  verbs: ["get", "list", "watch"]
    71
    72---
    73kind: ClusterRoleBinding
    74apiVersion: rbac.authorization.k8s.io/v1
    75metadata:
    76  name: csi-provisioner-role
    77subjects:
    78  - kind: ServiceAccount
    79    name: csi-provisioner
    80    # replace with non-default namespace name
    81    namespace: default
    82roleRef:
    83  kind: ClusterRole
    84  name: external-provisioner-runner
    85  apiGroup: rbac.authorization.k8s.io
    86
    87---
    88# Provisioner must be able to work with endpoints in current namespace
    89# if (and only if) leadership election is enabled
    90kind: Role
    91apiVersion: rbac.authorization.k8s.io/v1
    92metadata:
    93  # replace with non-default namespace name
    94  namespace: default
    95  name: external-provisioner-cfg
    96rules:
    97# Only one of the following rules for endpoints or leases is required based on
    98# what is set for `--leader-election-type`. Endpoints are deprecated in favor of Leases.
    99- apiGroups: ["coordination.k8s.io"]
   100  resources: ["leases"]
   101  verbs: ["get", "watch", "list", "delete", "update", "create"]
   102# Permissions for CSIStorageCapacity are only needed enabling the publishing
   103# of storage capacity information.
   104- apiGroups: ["storage.k8s.io"]
   105  resources: ["csistoragecapacities"]
   106  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
   107# The GET permissions below are needed for walking up the ownership chain
   108# for CSIStorageCapacity. They are sufficient for deployment via
   109# StatefulSet (only needs to get Pod) and Deployment (needs to get
   110# Pod and then ReplicaSet to find the Deployment).
   111- apiGroups: [""]
   112  resources: ["pods"]
   113  verbs: ["get"]
   114- apiGroups: ["apps"]
   115  resources: ["replicasets"]
   116  verbs: ["get"]
   117
   118---
   119kind: RoleBinding
   120apiVersion: rbac.authorization.k8s.io/v1
   121metadata:
   122  name: csi-provisioner-role-cfg
   123  # replace with non-default namespace name
   124  namespace: default
   125subjects:
   126  - kind: ServiceAccount
   127    name: csi-provisioner
   128    # replace with non-default namespace name
   129    namespace: default
   130roleRef:
   131  kind: Role
   132  name: external-provisioner-cfg
   133  apiGroup: rbac.authorization.k8s.io

View as plain text