k8s.io/kubernetes@v1.29.3/test/e2e/testing-manifests/storage-csi/external-attacher/rbac.yaml (about) 1 # Do not edit, downloaded from https://github.com/kubernetes-csi/external-attacher/raw/v3.4.0/deploy/kubernetes//rbac.yaml 2 # for csi-driver-host-path v1.8.0 3 # by ./update-hostpath.sh 4 # 5 # This YAML file contains all RBAC objects that are necessary to run external 6 # CSI attacher. 7 # 8 # In production, each CSI driver deployment has to be customized: 9 # - to avoid conflicts, use non-default namespace and different names 10 # for non-namespaced entities like the ClusterRole 11 # - decide whether the deployment replicates the external CSI 12 # attacher, in which case leadership election must be enabled; 13 # this influences the RBAC setup, see below 14 15 apiVersion: v1 16 kind: ServiceAccount 17 metadata: 18 name: csi-attacher 19 # replace with non-default namespace name 20 namespace: default 21 22 --- 23 # Attacher must be able to work with PVs, CSINodes and VolumeAttachments 24 kind: ClusterRole 25 apiVersion: rbac.authorization.k8s.io/v1 26 metadata: 27 name: external-attacher-runner 28 rules: 29 - apiGroups: [""] 30 resources: ["persistentvolumes"] 31 verbs: ["get", "list", "watch", "patch"] 32 - apiGroups: ["storage.k8s.io"] 33 resources: ["csinodes"] 34 verbs: ["get", "list", "watch"] 35 - apiGroups: ["storage.k8s.io"] 36 resources: ["volumeattachments"] 37 verbs: ["get", "list", "watch", "patch"] 38 - apiGroups: ["storage.k8s.io"] 39 resources: ["volumeattachments/status"] 40 verbs: ["patch"] 41 #Secret permission is optional. 42 #Enable it if you need value from secret. 43 #For example, you have key `csi.storage.k8s.io/controller-publish-secret-name` in StorageClass.parameters 44 #see https://kubernetes-csi.github.io/docs/secrets-and-credentials.html 45 # - apiGroups: [""] 46 # resources: ["secrets"] 47 # verbs: ["get", "list"] 48 49 --- 50 kind: ClusterRoleBinding 51 apiVersion: rbac.authorization.k8s.io/v1 52 metadata: 53 name: csi-attacher-role 54 subjects: 55 - kind: ServiceAccount 56 name: csi-attacher 57 # replace with non-default namespace name 58 namespace: default 59 roleRef: 60 kind: ClusterRole 61 name: external-attacher-runner 62 apiGroup: rbac.authorization.k8s.io 63 64 --- 65 # Attacher must be able to work with configmaps or leases in the current namespace 66 # if (and only if) leadership election is enabled 67 kind: Role 68 apiVersion: rbac.authorization.k8s.io/v1 69 metadata: 70 # replace with non-default namespace name 71 namespace: default 72 name: external-attacher-cfg 73 rules: 74 - apiGroups: ["coordination.k8s.io"] 75 resources: ["leases"] 76 verbs: ["get", "watch", "list", "delete", "update", "create"] 77 78 --- 79 kind: RoleBinding 80 apiVersion: rbac.authorization.k8s.io/v1 81 metadata: 82 name: csi-attacher-role-cfg 83 # replace with non-default namespace name 84 namespace: default 85 subjects: 86 - kind: ServiceAccount 87 name: csi-attacher 88 # replace with non-default namespace name 89 namespace: default 90 roleRef: 91 kind: Role 92 name: external-attacher-cfg 93 apiGroup: rbac.authorization.k8s.io