...

Text file src/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/gce-pd/csi-controller-rbac.yaml

Documentation: k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/gce-pd

     1##### Controller Service Account, Roles, Rolebindings
     2apiVersion: v1
     3kind: ServiceAccount
     4metadata:
     5  name: csi-gce-pd-controller-sa
     6
     7---
     8# xref: https://github.com/kubernetes-csi/external-provisioner/blob/master/deploy/kubernetes/rbac.yaml
     9kind: ClusterRole
    10apiVersion: rbac.authorization.k8s.io/v1
    11metadata:
    12  name: csi-gce-pd-provisioner-role
    13rules:
    14  - apiGroups: [""]
    15    resources: ["persistentvolumes"]
    16    verbs: ["get", "list", "watch", "create", "delete"]
    17  - apiGroups: [""]
    18    resources: ["persistentvolumeclaims"]
    19    verbs: ["get", "list", "watch", "update"]
    20  - apiGroups: ["storage.k8s.io"]
    21    resources: ["storageclasses"]
    22    verbs: ["get", "list", "watch"]
    23  - apiGroups: [""]
    24    resources: ["events"]
    25    verbs: ["list", "watch", "create", "update", "patch"]
    26  - apiGroups: ["storage.k8s.io"]
    27    resources: ["csinodes"]
    28    verbs: ["get", "list", "watch"]
    29  - apiGroups: [""]
    30    resources: ["nodes"]
    31    verbs: ["get", "list", "watch"]
    32  - apiGroups: ["snapshot.storage.k8s.io"]
    33    resources: ["volumesnapshots"]
    34    verbs: ["get", "list"]
    35  - apiGroups: ["snapshot.storage.k8s.io"]
    36    resources: ["volumesnapshotcontents"]
    37    verbs: ["get", "list"]
    38
    39---
    40
    41kind: ClusterRoleBinding
    42apiVersion: rbac.authorization.k8s.io/v1
    43metadata:
    44  name: csi-gce-pd-controller-provisioner-binding
    45subjects:
    46  - kind: ServiceAccount
    47    name: csi-gce-pd-controller-sa
    48roleRef:
    49  kind: ClusterRole
    50  name: csi-gce-pd-provisioner-role
    51  apiGroup: rbac.authorization.k8s.io
    52  
    53---
    54# xref: https://github.com/kubernetes-csi/external-attacher/blob/master/deploy/kubernetes/rbac.yaml
    55kind: ClusterRole
    56apiVersion: rbac.authorization.k8s.io/v1
    57metadata:
    58  name: csi-gce-pd-attacher-role
    59rules:
    60  - apiGroups: [""]
    61    resources: ["persistentvolumes"]
    62    verbs: ["get", "list", "watch", "update", "patch"]
    63  - apiGroups: [""]
    64    resources: ["nodes"]
    65    verbs: ["get", "list", "watch"]
    66  - apiGroups: ["storage.k8s.io"]
    67    resources: ["csinodes"]
    68    verbs: ["get", "list", "watch"]
    69  - apiGroups: ["storage.k8s.io"]
    70    resources: ["volumeattachments"]
    71    verbs: ["get", "list", "watch", "update", "patch"]
    72  - apiGroups: ["storage.k8s.io"]
    73    resources: ["volumeattachments/status"]
    74    verbs: ["patch"]
    75
    76---
    77
    78kind: ClusterRoleBinding
    79apiVersion: rbac.authorization.k8s.io/v1
    80metadata:
    81  name: csi-gce-pd-controller-attacher-binding
    82subjects:
    83  - kind: ServiceAccount
    84    name: csi-gce-pd-controller-sa
    85roleRef:
    86  kind: ClusterRole
    87  name: csi-gce-pd-attacher-role
    88  apiGroup: rbac.authorization.k8s.io
    89
    90---
    91
    92# Resizer must be able to work with PVCs, PVs, SCs.
    93kind: ClusterRole
    94apiVersion: rbac.authorization.k8s.io/v1
    95metadata:
    96  name: csi-gce-pd-resizer-role
    97rules:
    98  - apiGroups: [""]
    99    resources: ["persistentvolumes"]
   100    verbs: ["get", "list", "watch", "update", "patch"]
   101  - apiGroups: [""]
   102    resources: ["persistentvolumeclaims"]
   103    verbs: ["get", "list", "watch"]
   104  - apiGroups: [""]
   105    resources: ["persistentvolumeclaims/status"]
   106    verbs: ["update", "patch"]
   107  - apiGroups: [""]
   108    resources: ["events"]
   109    verbs: ["list", "watch", "create", "update", "patch"]
   110
   111---
   112kind: ClusterRoleBinding
   113apiVersion: rbac.authorization.k8s.io/v1
   114metadata:
   115  name: csi-gce-pd-resizer-binding
   116subjects:
   117  - kind: ServiceAccount
   118    name: csi-gce-pd-controller-sa
   119roleRef:
   120  kind: ClusterRole
   121  name: csi-gce-pd-resizer-role
   122  apiGroup: rbac.authorization.k8s.io
   123
   124---
   125# xref: https://github.com/kubernetes-csi/external-snapshotter/blob/master/deploy/kubernetes/csi-snapshotter/rbac-csi-snapshotter.yaml
   126kind: ClusterRole
   127apiVersion: rbac.authorization.k8s.io/v1
   128metadata:
   129  name: csi-gce-pd-snapshotter-role
   130rules:
   131  - apiGroups: [""]
   132    resources: ["events"]
   133    verbs: ["list", "watch", "create", "update", "patch"]
   134  - apiGroups: ["snapshot.storage.k8s.io"]
   135    resources: ["volumesnapshotclasses"]
   136    verbs: ["get", "list", "watch"]
   137  - apiGroups: ["snapshot.storage.k8s.io"]
   138    resources: ["volumesnapshotcontents"]
   139    verbs: ["get", "list", "watch", "update", "delete", "patch"]
   140  - apiGroups: ["snapshot.storage.k8s.io"]
   141    resources: ["volumesnapshotcontents/status"]
   142    verbs: ["update", "patch"]
   143---
   144
   145kind: ClusterRoleBinding
   146apiVersion: rbac.authorization.k8s.io/v1
   147metadata:
   148  name: csi-gce-pd-controller-snapshotter-binding
   149subjects:
   150  - kind: ServiceAccount
   151    name: csi-gce-pd-controller-sa
   152roleRef:
   153  kind: ClusterRole
   154  name: csi-gce-pd-snapshotter-role
   155  apiGroup: rbac.authorization.k8s.io
   156---
   157
   158kind: Role
   159apiVersion: rbac.authorization.k8s.io/v1
   160metadata:
   161  name: csi-gce-pd-leaderelection-role
   162  namespace: gce-pd-csi-driver
   163  labels:
   164    k8s-app: gcp-compute-persistent-disk-csi-driver
   165rules:
   166- apiGroups: ["coordination.k8s.io"]
   167  resources: ["leases"]
   168  verbs: ["get", "watch", "list", "delete", "update", "create"]
   169---
   170
   171kind: RoleBinding
   172apiVersion: rbac.authorization.k8s.io/v1
   173metadata:
   174  name: csi-gce-pd-controller-leaderelection-binding
   175  namespace: gce-pd-csi-driver
   176  labels:
   177    k8s-app: gcp-compute-persistent-disk-csi-driver
   178subjects:
   179- kind: ServiceAccount
   180  name: csi-gce-pd-controller-sa
   181roleRef:
   182  kind: Role
   183  name: csi-gce-pd-leaderelection-role
   184  apiGroup: rbac.authorization.k8s.io
   185---
   186
   187# privileged Pod Security Policy, previously defined via PrivilegedTestPSPClusterRoleBinding()
   188kind: ClusterRoleBinding
   189apiVersion: rbac.authorization.k8s.io/v1
   190metadata:
   191  name: psp-csi-controller-driver-registrar-role
   192subjects:
   193  - kind: ServiceAccount
   194    name: csi-gce-pd-controller-sa
   195roleRef:
   196  kind: ClusterRole
   197  name: e2e-test-privileged-psp
   198  apiGroup: rbac.authorization.k8s.io

View as plain text