github.com/1aal/kubeblocks@v0.0.0-20231107070852-e1c03e598921/deploy/csi-hostpath-driver/templates/rbac/rbac-csi-attacher.yaml (about) 1 apiVersion: v1 2 kind: ServiceAccount 3 metadata: 4 name: csi-attacher-{{ include "csi-hostpath-driver.fullname" . }} 5 namespace: {{ .Release.Namespace }} 6 7 --- 8 # Attacher must be able to work with PVs, CSINodes and VolumeAttachments 9 kind: ClusterRole 10 apiVersion: rbac.authorization.k8s.io/v1 11 metadata: 12 name: external-attacher-runner-{{ include "csi-hostpath-driver.fullname" . }} 13 rules: 14 - apiGroups: [""] 15 resources: ["persistentvolumes"] 16 verbs: ["get", "list", "watch", "patch"] 17 - apiGroups: ["storage.k8s.io"] 18 resources: ["csinodes"] 19 verbs: ["get", "list", "watch"] 20 - apiGroups: ["storage.k8s.io"] 21 resources: ["volumeattachments"] 22 verbs: ["get", "list", "watch", "patch"] 23 - apiGroups: ["storage.k8s.io"] 24 resources: ["volumeattachments/status"] 25 verbs: ["patch"] 26 #Secret permission is optional. 27 #Enable it if you need value from secret. 28 #For example, you have key `csi.storage.k8s.io/controller-publish-secret-name` in StorageClass.parameters 29 #see https://kubernetes-csi.github.io/docs/secrets-and-credentials.html 30 # - apiGroups: [""] 31 # resources: ["secrets"] 32 # verbs: ["get", "list"] 33 34 --- 35 kind: ClusterRoleBinding 36 apiVersion: rbac.authorization.k8s.io/v1 37 metadata: 38 name: csi-attacher-role-{{ include "csi-hostpath-driver.fullname" . }} 39 subjects: 40 - kind: ServiceAccount 41 name: csi-attacher-{{ include "csi-hostpath-driver.fullname" . }} 42 namespace: {{ .Release.Namespace }} 43 roleRef: 44 kind: ClusterRole 45 name: external-attacher-runner-{{ include "csi-hostpath-driver.fullname" . }} 46 apiGroup: rbac.authorization.k8s.io 47 48 --- 49 # Attacher must be able to work with configmaps or leases in the current namespace 50 # if (and only if) leadership election is enabled 51 kind: Role 52 apiVersion: rbac.authorization.k8s.io/v1 53 metadata: 54 namespace: {{ .Release.Namespace }} 55 name: external-attacher-cfg-{{ include "csi-hostpath-driver.fullname" . }} 56 rules: 57 - apiGroups: ["coordination.k8s.io"] 58 resources: ["leases"] 59 verbs: ["get", "watch", "list", "delete", "update", "create"] 60 61 --- 62 kind: RoleBinding 63 apiVersion: rbac.authorization.k8s.io/v1 64 metadata: 65 name: csi-attacher-role-cfg-{{ include "csi-hostpath-driver.fullname" . }} 66 namespace: {{ .Release.Namespace }} 67 subjects: 68 - kind: ServiceAccount 69 name: csi-attacher-{{ include "csi-hostpath-driver.fullname" . }} 70 namespace: {{ .Release.Namespace }} 71 roleRef: 72 kind: Role 73 name: external-attacher-cfg-{{ include "csi-hostpath-driver.fullname" . }} 74 apiGroup: rbac.authorization.k8s.io