1##### Controller Service Account, Roles, Rolebindings
2apiVersion: v1
3kind: ServiceAccount
4metadata:
5 name: csi-gce-pd-controller-sa
6
7---
8# xref: https://github.com/kubernetes-csi/external-provisioner/blob/master/deploy/kubernetes/rbac.yaml
9kind: ClusterRole
10apiVersion: rbac.authorization.k8s.io/v1
11metadata:
12 name: csi-gce-pd-provisioner-role
13rules:
14 - apiGroups: [""]
15 resources: ["persistentvolumes"]
16 verbs: ["get", "list", "watch", "create", "delete"]
17 - apiGroups: [""]
18 resources: ["persistentvolumeclaims"]
19 verbs: ["get", "list", "watch", "update"]
20 - apiGroups: ["storage.k8s.io"]
21 resources: ["storageclasses"]
22 verbs: ["get", "list", "watch"]
23 - apiGroups: [""]
24 resources: ["events"]
25 verbs: ["list", "watch", "create", "update", "patch"]
26 - apiGroups: ["storage.k8s.io"]
27 resources: ["csinodes"]
28 verbs: ["get", "list", "watch"]
29 - apiGroups: [""]
30 resources: ["nodes"]
31 verbs: ["get", "list", "watch"]
32 - apiGroups: ["snapshot.storage.k8s.io"]
33 resources: ["volumesnapshots"]
34 verbs: ["get", "list"]
35 - apiGroups: ["snapshot.storage.k8s.io"]
36 resources: ["volumesnapshotcontents"]
37 verbs: ["get", "list"]
38
39---
40
41kind: ClusterRoleBinding
42apiVersion: rbac.authorization.k8s.io/v1
43metadata:
44 name: csi-gce-pd-controller-provisioner-binding
45subjects:
46 - kind: ServiceAccount
47 name: csi-gce-pd-controller-sa
48roleRef:
49 kind: ClusterRole
50 name: csi-gce-pd-provisioner-role
51 apiGroup: rbac.authorization.k8s.io
52
53---
54# xref: https://github.com/kubernetes-csi/external-attacher/blob/master/deploy/kubernetes/rbac.yaml
55kind: ClusterRole
56apiVersion: rbac.authorization.k8s.io/v1
57metadata:
58 name: csi-gce-pd-attacher-role
59rules:
60 - apiGroups: [""]
61 resources: ["persistentvolumes"]
62 verbs: ["get", "list", "watch", "update", "patch"]
63 - apiGroups: [""]
64 resources: ["nodes"]
65 verbs: ["get", "list", "watch"]
66 - apiGroups: ["storage.k8s.io"]
67 resources: ["csinodes"]
68 verbs: ["get", "list", "watch"]
69 - apiGroups: ["storage.k8s.io"]
70 resources: ["volumeattachments"]
71 verbs: ["get", "list", "watch", "update", "patch"]
72 - apiGroups: ["storage.k8s.io"]
73 resources: ["volumeattachments/status"]
74 verbs: ["patch"]
75
76---
77
78kind: ClusterRoleBinding
79apiVersion: rbac.authorization.k8s.io/v1
80metadata:
81 name: csi-gce-pd-controller-attacher-binding
82subjects:
83 - kind: ServiceAccount
84 name: csi-gce-pd-controller-sa
85roleRef:
86 kind: ClusterRole
87 name: csi-gce-pd-attacher-role
88 apiGroup: rbac.authorization.k8s.io
89
90---
91
92# Resizer must be able to work with PVCs, PVs, SCs.
93kind: ClusterRole
94apiVersion: rbac.authorization.k8s.io/v1
95metadata:
96 name: csi-gce-pd-resizer-role
97rules:
98 - apiGroups: [""]
99 resources: ["persistentvolumes"]
100 verbs: ["get", "list", "watch", "update", "patch"]
101 - apiGroups: [""]
102 resources: ["persistentvolumeclaims"]
103 verbs: ["get", "list", "watch"]
104 - apiGroups: [""]
105 resources: ["persistentvolumeclaims/status"]
106 verbs: ["update", "patch"]
107 - apiGroups: [""]
108 resources: ["events"]
109 verbs: ["list", "watch", "create", "update", "patch"]
110
111---
112kind: ClusterRoleBinding
113apiVersion: rbac.authorization.k8s.io/v1
114metadata:
115 name: csi-gce-pd-resizer-binding
116subjects:
117 - kind: ServiceAccount
118 name: csi-gce-pd-controller-sa
119roleRef:
120 kind: ClusterRole
121 name: csi-gce-pd-resizer-role
122 apiGroup: rbac.authorization.k8s.io
123
124---
125# xref: https://github.com/kubernetes-csi/external-snapshotter/blob/master/deploy/kubernetes/csi-snapshotter/rbac-csi-snapshotter.yaml
126kind: ClusterRole
127apiVersion: rbac.authorization.k8s.io/v1
128metadata:
129 name: csi-gce-pd-snapshotter-role
130rules:
131 - apiGroups: [""]
132 resources: ["events"]
133 verbs: ["list", "watch", "create", "update", "patch"]
134 - apiGroups: ["snapshot.storage.k8s.io"]
135 resources: ["volumesnapshotclasses"]
136 verbs: ["get", "list", "watch"]
137 - apiGroups: ["snapshot.storage.k8s.io"]
138 resources: ["volumesnapshotcontents"]
139 verbs: ["get", "list", "watch", "update", "delete", "patch"]
140 - apiGroups: ["snapshot.storage.k8s.io"]
141 resources: ["volumesnapshotcontents/status"]
142 verbs: ["update", "patch"]
143---
144
145kind: ClusterRoleBinding
146apiVersion: rbac.authorization.k8s.io/v1
147metadata:
148 name: csi-gce-pd-controller-snapshotter-binding
149subjects:
150 - kind: ServiceAccount
151 name: csi-gce-pd-controller-sa
152roleRef:
153 kind: ClusterRole
154 name: csi-gce-pd-snapshotter-role
155 apiGroup: rbac.authorization.k8s.io
156---
157
158kind: Role
159apiVersion: rbac.authorization.k8s.io/v1
160metadata:
161 name: csi-gce-pd-leaderelection-role
162 namespace: gce-pd-csi-driver
163 labels:
164 k8s-app: gcp-compute-persistent-disk-csi-driver
165rules:
166- apiGroups: ["coordination.k8s.io"]
167 resources: ["leases"]
168 verbs: ["get", "watch", "list", "delete", "update", "create"]
169---
170
171kind: RoleBinding
172apiVersion: rbac.authorization.k8s.io/v1
173metadata:
174 name: csi-gce-pd-controller-leaderelection-binding
175 namespace: gce-pd-csi-driver
176 labels:
177 k8s-app: gcp-compute-persistent-disk-csi-driver
178subjects:
179- kind: ServiceAccount
180 name: csi-gce-pd-controller-sa
181roleRef:
182 kind: Role
183 name: csi-gce-pd-leaderelection-role
184 apiGroup: rbac.authorization.k8s.io
185---
186
187# privileged Pod Security Policy, previously defined via PrivilegedTestPSPClusterRoleBinding()
188kind: ClusterRoleBinding
189apiVersion: rbac.authorization.k8s.io/v1
190metadata:
191 name: psp-csi-controller-driver-registrar-role
192subjects:
193 - kind: ServiceAccount
194 name: csi-gce-pd-controller-sa
195roleRef:
196 kind: ClusterRole
197 name: e2e-test-privileged-psp
198 apiGroup: rbac.authorization.k8s.io
View as plain text