k8s.io/kubernetes@v1.29.3/test/e2e/testing-manifests/storage-csi/external-provisioner/rbac.yaml (about) 1 # Do not edit, downloaded from https://github.com/kubernetes-csi/external-provisioner/raw/v3.1.0/deploy/kubernetes//rbac.yaml 2 # for csi-driver-host-path v1.8.0 3 # by ./update-hostpath.sh 4 # 5 # This YAML file contains all RBAC objects that are necessary to run external 6 # CSI provisioner. 7 # 8 # In production, each CSI driver deployment has to be customized: 9 # - to avoid conflicts, use non-default namespace and different names 10 # for non-namespaced entities like the ClusterRole 11 # - decide whether the deployment replicates the external CSI 12 # provisioner, in which case leadership election must be enabled; 13 # this influences the RBAC setup, see below 14 15 apiVersion: v1 16 kind: ServiceAccount 17 metadata: 18 name: csi-provisioner 19 # replace with non-default namespace name 20 namespace: default 21 22 --- 23 kind: ClusterRole 24 apiVersion: rbac.authorization.k8s.io/v1 25 metadata: 26 name: external-provisioner-runner 27 rules: 28 # The following rule should be uncommented for plugins that require secrets 29 # for provisioning. 30 # - apiGroups: [""] 31 # resources: ["secrets"] 32 # verbs: ["get", "list"] 33 - apiGroups: [""] 34 resources: ["persistentvolumes"] 35 verbs: ["get", "list", "watch", "create", "delete"] 36 - apiGroups: [""] 37 resources: ["persistentvolumeclaims"] 38 verbs: ["get", "list", "watch", "update"] 39 - apiGroups: ["storage.k8s.io"] 40 resources: ["storageclasses"] 41 verbs: ["get", "list", "watch"] 42 - apiGroups: [""] 43 resources: ["events"] 44 verbs: ["list", "watch", "create", "update", "patch"] 45 - apiGroups: ["snapshot.storage.k8s.io"] 46 resources: ["volumesnapshots"] 47 verbs: ["get", "list"] 48 - apiGroups: ["snapshot.storage.k8s.io"] 49 resources: ["volumesnapshotcontents"] 50 verbs: ["get", "list"] 51 - apiGroups: ["storage.k8s.io"] 52 resources: ["csinodes"] 53 verbs: ["get", "list", "watch"] 54 - apiGroups: [""] 55 resources: ["nodes"] 56 verbs: ["get", "list", "watch"] 57 # Access to volumeattachments is only needed when the CSI driver 58 # has the PUBLISH_UNPUBLISH_VOLUME controller capability. 59 # In that case, external-provisioner will watch volumeattachments 60 # to determine when it is safe to delete a volume. 61 - apiGroups: ["storage.k8s.io"] 62 resources: ["volumeattachments"] 63 verbs: ["get", "list", "watch"] 64 65 --- 66 kind: ClusterRoleBinding 67 apiVersion: rbac.authorization.k8s.io/v1 68 metadata: 69 name: csi-provisioner-role 70 subjects: 71 - kind: ServiceAccount 72 name: csi-provisioner 73 # replace with non-default namespace name 74 namespace: default 75 roleRef: 76 kind: ClusterRole 77 name: external-provisioner-runner 78 apiGroup: rbac.authorization.k8s.io 79 80 --- 81 # Provisioner must be able to work with endpoints in current namespace 82 # if (and only if) leadership election is enabled 83 kind: Role 84 apiVersion: rbac.authorization.k8s.io/v1 85 metadata: 86 # replace with non-default namespace name 87 namespace: default 88 name: external-provisioner-cfg 89 rules: 90 # Only one of the following rules for endpoints or leases is required based on 91 # what is set for `--leader-election-type`. Endpoints are deprecated in favor of Leases. 92 - apiGroups: [""] 93 resources: ["endpoints"] 94 verbs: ["get", "watch", "list", "delete", "update", "create"] 95 - apiGroups: ["coordination.k8s.io"] 96 resources: ["leases"] 97 verbs: ["get", "watch", "list", "delete", "update", "create"] 98 # Permissions for CSIStorageCapacity are only needed enabling the publishing 99 # of storage capacity information. 100 - apiGroups: ["storage.k8s.io"] 101 resources: ["csistoragecapacities"] 102 verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] 103 # The GET permissions below are needed for walking up the ownership chain 104 # for CSIStorageCapacity. They are sufficient for deployment via 105 # StatefulSet (only needs to get Pod) and Deployment (needs to get 106 # Pod and then ReplicaSet to find the Deployment). 107 - apiGroups: [""] 108 resources: ["pods"] 109 verbs: ["get"] 110 - apiGroups: ["apps"] 111 resources: ["replicasets"] 112 verbs: ["get"] 113 114 --- 115 kind: RoleBinding 116 apiVersion: rbac.authorization.k8s.io/v1 117 metadata: 118 name: csi-provisioner-role-cfg 119 # replace with non-default namespace name 120 namespace: default 121 subjects: 122 - kind: ServiceAccount 123 name: csi-provisioner 124 # replace with non-default namespace name 125 namespace: default 126 roleRef: 127 kind: Role 128 name: external-provisioner-cfg 129 apiGroup: rbac.authorization.k8s.io