k8s.io/kubernetes@v1.29.3/test/e2e/testing-manifests/storage-csi/external-attacher/rbac.yaml

k8s.io/kubernetes@v1.29.3/test/e2e/testing-manifests/storage-csi/external-attacher/rbac.yaml (about)

     1  # Do not edit, downloaded from https://github.com/kubernetes-csi/external-attacher/raw/v3.4.0/deploy/kubernetes//rbac.yaml
     2  # for csi-driver-host-path v1.8.0
     3  # by ./update-hostpath.sh
     4  #
     5  # This YAML file contains all RBAC objects that are necessary to run external
     6  # CSI attacher.
     7  #
     8  # In production, each CSI driver deployment has to be customized:
     9  # - to avoid conflicts, use non-default namespace and different names
    10  #   for non-namespaced entities like the ClusterRole
    11  # - decide whether the deployment replicates the external CSI
    12  #   attacher, in which case leadership election must be enabled;
    13  #   this influences the RBAC setup, see below
    14  
    15  apiVersion: v1
    16  kind: ServiceAccount
    17  metadata:
    18    name: csi-attacher
    19    # replace with non-default namespace name
    20    namespace: default
    21  
    22  ---
    23  # Attacher must be able to work with PVs, CSINodes and VolumeAttachments
    24  kind: ClusterRole
    25  apiVersion: rbac.authorization.k8s.io/v1
    26  metadata:
    27    name: external-attacher-runner
    28  rules:
    29    - apiGroups: [""]
    30      resources: ["persistentvolumes"]
    31      verbs: ["get", "list", "watch", "patch"]
    32    - apiGroups: ["storage.k8s.io"]
    33      resources: ["csinodes"]
    34      verbs: ["get", "list", "watch"]
    35    - apiGroups: ["storage.k8s.io"]
    36      resources: ["volumeattachments"]
    37      verbs: ["get", "list", "watch", "patch"]
    38    - apiGroups: ["storage.k8s.io"]
    39      resources: ["volumeattachments/status"]
    40      verbs: ["patch"]
    41  #Secret permission is optional.
    42  #Enable it if you need value from secret.
    43  #For example, you have key `csi.storage.k8s.io/controller-publish-secret-name` in StorageClass.parameters
    44  #see https://kubernetes-csi.github.io/docs/secrets-and-credentials.html
    45  #  - apiGroups: [""]
    46  #    resources: ["secrets"]
    47  #    verbs: ["get", "list"]
    48  
    49  ---
    50  kind: ClusterRoleBinding
    51  apiVersion: rbac.authorization.k8s.io/v1
    52  metadata:
    53    name: csi-attacher-role
    54  subjects:
    55    - kind: ServiceAccount
    56      name: csi-attacher
    57      # replace with non-default namespace name
    58      namespace: default
    59  roleRef:
    60    kind: ClusterRole
    61    name: external-attacher-runner
    62    apiGroup: rbac.authorization.k8s.io
    63  
    64  ---
    65  # Attacher must be able to work with configmaps or leases in the current namespace
    66  # if (and only if) leadership election is enabled
    67  kind: Role
    68  apiVersion: rbac.authorization.k8s.io/v1
    69  metadata:
    70    # replace with non-default namespace name
    71    namespace: default
    72    name: external-attacher-cfg
    73  rules:
    74  - apiGroups: ["coordination.k8s.io"]
    75    resources: ["leases"]
    76    verbs: ["get", "watch", "list", "delete", "update", "create"]
    77  
    78  ---
    79  kind: RoleBinding
    80  apiVersion: rbac.authorization.k8s.io/v1
    81  metadata:
    82    name: csi-attacher-role-cfg
    83    # replace with non-default namespace name
    84    namespace: default
    85  subjects:
    86    - kind: ServiceAccount
    87      name: csi-attacher
    88      # replace with non-default namespace name
    89      namespace: default
    90  roleRef:
    91    kind: Role
    92    name: external-attacher-cfg
    93    apiGroup: rbac.authorization.k8s.io