k8s.io/kubernetes@v1.29.3/test/e2e/testing-manifests/storage-csi/external-provisioner/rbac.yaml

k8s.io/kubernetes@v1.29.3/test/e2e/testing-manifests/storage-csi/external-provisioner/rbac.yaml (about)

     1  # Do not edit, downloaded from https://github.com/kubernetes-csi/external-provisioner/raw/v3.1.0/deploy/kubernetes//rbac.yaml
     2  # for csi-driver-host-path v1.8.0
     3  # by ./update-hostpath.sh
     4  #
     5  # This YAML file contains all RBAC objects that are necessary to run external
     6  # CSI provisioner.
     7  #
     8  # In production, each CSI driver deployment has to be customized:
     9  # - to avoid conflicts, use non-default namespace and different names
    10  #   for non-namespaced entities like the ClusterRole
    11  # - decide whether the deployment replicates the external CSI
    12  #   provisioner, in which case leadership election must be enabled;
    13  #   this influences the RBAC setup, see below
    14  
    15  apiVersion: v1
    16  kind: ServiceAccount
    17  metadata:
    18    name: csi-provisioner
    19    # replace with non-default namespace name
    20    namespace: default
    21  
    22  ---
    23  kind: ClusterRole
    24  apiVersion: rbac.authorization.k8s.io/v1
    25  metadata:
    26    name: external-provisioner-runner
    27  rules:
    28    # The following rule should be uncommented for plugins that require secrets
    29    # for provisioning.
    30    # - apiGroups: [""]
    31    #   resources: ["secrets"]
    32    #   verbs: ["get", "list"]
    33    - apiGroups: [""]
    34      resources: ["persistentvolumes"]
    35      verbs: ["get", "list", "watch", "create", "delete"]
    36    - apiGroups: [""]
    37      resources: ["persistentvolumeclaims"]
    38      verbs: ["get", "list", "watch", "update"]
    39    - apiGroups: ["storage.k8s.io"]
    40      resources: ["storageclasses"]
    41      verbs: ["get", "list", "watch"]
    42    - apiGroups: [""]
    43      resources: ["events"]
    44      verbs: ["list", "watch", "create", "update", "patch"]
    45    - apiGroups: ["snapshot.storage.k8s.io"]
    46      resources: ["volumesnapshots"]
    47      verbs: ["get", "list"]
    48    - apiGroups: ["snapshot.storage.k8s.io"]
    49      resources: ["volumesnapshotcontents"]
    50      verbs: ["get", "list"]
    51    - apiGroups: ["storage.k8s.io"]
    52      resources: ["csinodes"]
    53      verbs: ["get", "list", "watch"]
    54    - apiGroups: [""]
    55      resources: ["nodes"]
    56      verbs: ["get", "list", "watch"]
    57    # Access to volumeattachments is only needed when the CSI driver
    58    # has the PUBLISH_UNPUBLISH_VOLUME controller capability.
    59    # In that case, external-provisioner will watch volumeattachments
    60    # to determine when it is safe to delete a volume.
    61    - apiGroups: ["storage.k8s.io"]
    62      resources: ["volumeattachments"]
    63      verbs: ["get", "list", "watch"]
    64  
    65  ---
    66  kind: ClusterRoleBinding
    67  apiVersion: rbac.authorization.k8s.io/v1
    68  metadata:
    69    name: csi-provisioner-role
    70  subjects:
    71    - kind: ServiceAccount
    72      name: csi-provisioner
    73      # replace with non-default namespace name
    74      namespace: default
    75  roleRef:
    76    kind: ClusterRole
    77    name: external-provisioner-runner
    78    apiGroup: rbac.authorization.k8s.io
    79  
    80  ---
    81  # Provisioner must be able to work with endpoints in current namespace
    82  # if (and only if) leadership election is enabled
    83  kind: Role
    84  apiVersion: rbac.authorization.k8s.io/v1
    85  metadata:
    86    # replace with non-default namespace name
    87    namespace: default
    88    name: external-provisioner-cfg
    89  rules:
    90  # Only one of the following rules for endpoints or leases is required based on
    91  # what is set for `--leader-election-type`. Endpoints are deprecated in favor of Leases.
    92  - apiGroups: [""]
    93    resources: ["endpoints"]
    94    verbs: ["get", "watch", "list", "delete", "update", "create"]
    95  - apiGroups: ["coordination.k8s.io"]
    96    resources: ["leases"]
    97    verbs: ["get", "watch", "list", "delete", "update", "create"]
    98  # Permissions for CSIStorageCapacity are only needed enabling the publishing
    99  # of storage capacity information.
   100  - apiGroups: ["storage.k8s.io"]
   101    resources: ["csistoragecapacities"]
   102    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
   103  # The GET permissions below are needed for walking up the ownership chain
   104  # for CSIStorageCapacity. They are sufficient for deployment via
   105  # StatefulSet (only needs to get Pod) and Deployment (needs to get
   106  # Pod and then ReplicaSet to find the Deployment).
   107  - apiGroups: [""]
   108    resources: ["pods"]
   109    verbs: ["get"]
   110  - apiGroups: ["apps"]
   111    resources: ["replicasets"]
   112    verbs: ["get"]
   113  
   114  ---
   115  kind: RoleBinding
   116  apiVersion: rbac.authorization.k8s.io/v1
   117  metadata:
   118    name: csi-provisioner-role-cfg
   119    # replace with non-default namespace name
   120    namespace: default
   121  subjects:
   122    - kind: ServiceAccount
   123      name: csi-provisioner
   124      # replace with non-default namespace name
   125      namespace: default
   126  roleRef:
   127    kind: Role
   128    name: external-provisioner-cfg
   129    apiGroup: rbac.authorization.k8s.io