-
Notifications
You must be signed in to change notification settings - Fork 324
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
deploy: split out RBAC, fix leadership election permissions
The RBAC definitions were not updated when introducing leadership election, which depends on the permission to modify endpoints in the current namespace. Having the RBAC definition in a separate file makes them usable as-is elsewhere without manual editing, for example in kubernetes/e2e.
- Loading branch information
Showing
2 changed files
with
92 additions
and
47 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,89 @@ | ||
# This YAML file contains all RBAC objects that are necessary to run external | ||
# CSI provisioner. | ||
# | ||
# In production, each CSI driver deployment has to be customized: | ||
# - to avoid conflicts, use non-default namespace and different names | ||
# for non-namespaced entities like the ClusterRole | ||
# - decide whether the deployment replicates the external CSI | ||
# provisioner, in which case leadership election must be enabled; | ||
# this influences the RBAC setup, see below | ||
|
||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: csi-provisioner | ||
# replace with non-default namespace name | ||
namespace: default | ||
|
||
--- | ||
kind: ClusterRole | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
metadata: | ||
name: external-provisioner-runner | ||
rules: | ||
- apiGroups: [""] | ||
resources: ["secrets"] | ||
verbs: ["get", "list"] | ||
- apiGroups: [""] | ||
resources: ["persistentvolumes"] | ||
verbs: ["get", "list", "watch", "create", "delete"] | ||
- apiGroups: [""] | ||
resources: ["persistentvolumeclaims"] | ||
verbs: ["get", "list", "watch", "update"] | ||
- apiGroups: ["storage.k8s.io"] | ||
resources: ["storageclasses"] | ||
verbs: ["get", "list", "watch"] | ||
- apiGroups: [""] | ||
resources: ["events"] | ||
verbs: ["list", "watch", "create", "update", "patch"] | ||
- apiGroups: ["snapshot.storage.k8s.io"] | ||
resources: ["volumesnapshots"] | ||
verbs: ["get", "list"] | ||
- apiGroups: ["snapshot.storage.k8s.io"] | ||
resources: ["volumesnapshotcontents"] | ||
verbs: ["get", "list"] | ||
|
||
--- | ||
kind: ClusterRoleBinding | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
metadata: | ||
name: csi-provisioner-role | ||
subjects: | ||
- kind: ServiceAccount | ||
name: csi-provisioner | ||
# replace with non-default namespace name | ||
namespace: default | ||
roleRef: | ||
kind: ClusterRole | ||
name: external-provisioner-runner | ||
apiGroup: rbac.authorization.k8s.io | ||
|
||
--- | ||
# Provisioner must be able to work with endpoints in current namespace | ||
# if (and only if) leadership election is enabled | ||
kind: Role | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
metadata: | ||
# replace with non-default namespace name | ||
namespace: default | ||
name: external-provisioner-cfg | ||
rules: | ||
- apiGroups: [""] | ||
resources: ["endpoints"] | ||
verbs: ["get", "watch", "list", "delete", "update", "create"] | ||
|
||
--- | ||
kind: RoleBinding | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
metadata: | ||
name: csi-provisioner-role-cfg | ||
# replace with non-default namespace name | ||
namespace: default | ||
subjects: | ||
- kind: ServiceAccount | ||
name: csi-provisioner | ||
# replace with non-default namespace name | ||
namespace: default | ||
roleRef: | ||
kind: Role | ||
name: external-provisioner-cfg |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters