github.com/1aal/kubeblocks@v0.0.0-20231107070852-e1c03e598921/deploy/csi-hostpath-driver/templates/rbac/rbac-csi-snapshotter.yaml

github.com/1aal/kubeblocks@v0.0.0-20231107070852-e1c03e598921/deploy/csi-hostpath-driver/templates/rbac/rbac-csi-snapshotter.yaml (about)

     1  apiVersion: v1
     2  kind: ServiceAccount
     3  metadata:
     4    name: csi-snapshotter-{{ include "csi-hostpath-driver.fullname" . }}
     5  
     6  ---
     7  kind: ClusterRole
     8  apiVersion: rbac.authorization.k8s.io/v1
     9  metadata:
    10    # rename if there are conflicts
    11    name: external-snapshotter-runner-{{ include "csi-hostpath-driver.fullname" . }}
    12  rules:
    13    - apiGroups: [""]
    14      resources: ["events"]
    15      verbs: ["list", "watch", "create", "update", "patch"]
    16    # Secret permission is optional.
    17    # Enable it if your driver needs secret.
    18    # For example, `csi.storage.k8s.io/snapshotter-secret-name` is set in VolumeSnapshotClass.
    19    # See https://kubernetes-csi.github.io/docs/secrets-and-credentials.html for more details.
    20    #  - apiGroups: [""]
    21    #    resources: ["secrets"]
    22    #    verbs: ["get", "list"]
    23    - apiGroups: ["snapshot.storage.k8s.io"]
    24      resources: ["volumesnapshotclasses"]
    25      verbs: ["get", "list", "watch"]
    26    - apiGroups: ["snapshot.storage.k8s.io"]
    27      resources: ["volumesnapshotcontents"]
    28      verbs: ["get", "list", "watch", "update", "patch"]
    29    - apiGroups: ["snapshot.storage.k8s.io"]
    30      resources: ["volumesnapshotcontents/status"]
    31      verbs: ["update", "patch"]
    32  
    33  ---
    34  kind: ClusterRoleBinding
    35  apiVersion: rbac.authorization.k8s.io/v1
    36  metadata:
    37    name: csi-snapshotter-role-{{ include "csi-hostpath-driver.fullname" . }}
    38  subjects:
    39    - kind: ServiceAccount
    40      name: csi-snapshotter-{{ include "csi-hostpath-driver.fullname" . }}
    41      namespace: {{ .Release.Namespace }}
    42  roleRef:
    43    kind: ClusterRole
    44    # change the name also here if the ClusterRole gets renamed
    45    name: external-snapshotter-runner-{{ include "csi-hostpath-driver.fullname" . }}
    46    apiGroup: rbac.authorization.k8s.io
    47  
    48  ---
    49  kind: Role
    50  apiVersion: rbac.authorization.k8s.io/v1
    51  metadata:
    52    namespace: {{ .Release.Namespace }}
    53    name: external-snapshotter-leaderelection-{{ include "csi-hostpath-driver.fullname" . }}
    54  rules:
    55    - apiGroups: ["coordination.k8s.io"]
    56      resources: ["leases"]
    57      verbs: ["get", "watch", "list", "delete", "update", "create"]
    58  
    59  ---
    60  kind: RoleBinding
    61  apiVersion: rbac.authorization.k8s.io/v1
    62  metadata:
    63    name: external-snapshotter-leaderelection-{{ include "csi-hostpath-driver.fullname" . }}
    64    namespace: {{ .Release.Namespace }}
    65  subjects:
    66    - kind: ServiceAccount
    67      name: csi-snapshotter-{{ include "csi-hostpath-driver.fullname" . }}
    68      namespace: {{ .Release.Namespace }}
    69  roleRef:
    70    kind: Role
    71    name: external-snapshotter-leaderelection-{{ include "csi-hostpath-driver.fullname" . }}
    72    apiGroup: rbac.authorization.k8s.io