k8s.io/kubernetes@v1.29.3/test/e2e/testing-manifests/storage-csi/external-health-monitor/external-health-monitor-controller/rbac.yaml

k8s.io/kubernetes@v1.29.3/test/e2e/testing-manifests/storage-csi/external-health-monitor/external-health-monitor-controller/rbac.yaml (about)

     1  # Do not edit, downloaded from https://github.com/kubernetes-csi/external-health-monitor/raw/v0.4.0/deploy/kubernetes/external-health-monitor-controller/rbac.yaml
     2  # for csi-driver-host-path v1.8.0
     3  # by ./update-hostpath.sh
     4  #
     5  # This YAML file contains all RBAC objects that are necessary to run external
     6  # CSI health monitor controller.
     7  #
     8  # In production, each CSI driver deployment has to be customized:
     9  # - to avoid conflicts, use non-default namespace and different names
    10  #   for non-namespaced entities like the ClusterRole
    11  # - decide whether the deployment replicates the external CSI
    12  #   health monitor controller, in which case leadership election must be enabled;
    13  #   this influences the RBAC setup, see below
    14  
    15  apiVersion: v1
    16  kind: ServiceAccount
    17  metadata:
    18    name: csi-external-health-monitor-controller
    19    # replace with non-default namespace name
    20    namespace: default
    21  
    22  ---
    23  # Health monitor controller must be able to work with PVs, PVCs, Nodes and Pods
    24  kind: ClusterRole
    25  apiVersion: rbac.authorization.k8s.io/v1
    26  metadata:
    27    name: external-health-monitor-controller-runner
    28  rules:
    29    - apiGroups: [""]
    30      resources: ["persistentvolumes"]
    31      verbs: ["get", "list", "watch"]
    32    - apiGroups: [""]
    33      resources: ["persistentvolumeclaims"]
    34      verbs: ["get", "list", "watch"]
    35    - apiGroups: [""]
    36      resources: ["nodes"]
    37      verbs: ["get", "list", "watch"]
    38    - apiGroups: [""]
    39      resources: ["pods"]
    40      verbs: ["get", "list", "watch"]
    41    - apiGroups: [""]
    42      resources: ["events"]
    43      verbs: ["get", "list", "watch", "create", "patch"]
    44  
    45  ---
    46  kind: ClusterRoleBinding
    47  apiVersion: rbac.authorization.k8s.io/v1
    48  metadata:
    49    name: csi-external-health-monitor-controller-role
    50  subjects:
    51    - kind: ServiceAccount
    52      name: csi-external-health-monitor-controller
    53      # replace with non-default namespace name
    54      namespace: default
    55  roleRef:
    56    kind: ClusterRole
    57    name: external-health-monitor-controller-runner
    58    apiGroup: rbac.authorization.k8s.io
    59  
    60  ---
    61  # Health monitor controller must be able to work with configmaps or leases in the current namespace
    62  # if (and only if) leadership election is enabled
    63  kind: Role
    64  apiVersion: rbac.authorization.k8s.io/v1
    65  metadata:
    66    # replace with non-default namespace name
    67    namespace: default
    68    name: external-health-monitor-controller-cfg
    69  rules:
    70  - apiGroups: ["coordination.k8s.io"]
    71    resources: ["leases"]
    72    verbs: ["get", "watch", "list", "delete", "update", "create"]
    73  
    74  ---
    75  kind: RoleBinding
    76  apiVersion: rbac.authorization.k8s.io/v1
    77  metadata:
    78    name: csi-external-health-monitor-controller-role-cfg
    79    # replace with non-default namespace name
    80    namespace: default
    81  subjects:
    82    - kind: ServiceAccount
    83      name: csi-external-health-monitor-controller
    84      # replace with non-default namespace name
    85      namespace: default
    86  roleRef:
    87    kind: Role
    88    name: external-health-monitor-controller-cfg
    89    apiGroup: rbac.authorization.k8s.io