k8s.io/kubernetes@v1.29.3/test/e2e/testing-manifests/storage-csi/external-resizer/rbac.yaml

k8s.io/kubernetes@v1.29.3/test/e2e/testing-manifests/storage-csi/external-resizer/rbac.yaml (about)

     1  # Do not edit, downloaded from https://github.com/kubernetes-csi/external-resizer/raw/v1.4.0/deploy/kubernetes//rbac.yaml
     2  # for csi-driver-host-path v1.8.0
     3  # by ./update-hostpath.sh
     4  #
     5  # This YAML file contains all RBAC objects that are necessary to run external
     6  # CSI resizer.
     7  #
     8  # In production, each CSI driver deployment has to be customized:
     9  # - to avoid conflicts, use non-default namespace and different names
    10  #   for non-namespaced entities like the ClusterRole
    11  # - decide whether the deployment replicates the external CSI
    12  #   resizer, in which case leadership election must be enabled;
    13  #   this influences the RBAC setup, see below
    14  
    15  apiVersion: v1
    16  kind: ServiceAccount
    17  metadata:
    18    name: csi-resizer
    19    # replace with non-default namespace name
    20    namespace: default
    21  
    22  ---
    23  # Resizer must be able to work with PVCs, PVs, SCs.
    24  kind: ClusterRole
    25  apiVersion: rbac.authorization.k8s.io/v1
    26  metadata:
    27    name: external-resizer-runner
    28  rules:
    29    # The following rule should be uncommented for plugins that require secrets
    30    # for provisioning.
    31    # - apiGroups: [""]
    32    #   resources: ["secrets"]
    33    #   verbs: ["get", "list", "watch"]
    34    - apiGroups: [""]
    35      resources: ["persistentvolumes"]
    36      verbs: ["get", "list", "watch", "patch"]
    37    - apiGroups: [""]
    38      resources: ["persistentvolumeclaims"]
    39      verbs: ["get", "list", "watch"]
    40    - apiGroups: [""]
    41      resources: ["pods"]
    42      verbs: ["get", "list", "watch"]
    43    - apiGroups: [""]
    44      resources: ["persistentvolumeclaims/status"]
    45      verbs: ["patch"]
    46    - apiGroups: [""]
    47      resources: ["events"]
    48      verbs: ["list", "watch", "create", "update", "patch"]
    49  
    50  ---
    51  kind: ClusterRoleBinding
    52  apiVersion: rbac.authorization.k8s.io/v1
    53  metadata:
    54    name: csi-resizer-role
    55  subjects:
    56    - kind: ServiceAccount
    57      name: csi-resizer
    58      # replace with non-default namespace name
    59      namespace: default
    60  roleRef:
    61    kind: ClusterRole
    62    name: external-resizer-runner
    63    apiGroup: rbac.authorization.k8s.io
    64  
    65  ---
    66  # Resizer must be able to work with end point in current namespace
    67  # if (and only if) leadership election is enabled
    68  kind: Role
    69  apiVersion: rbac.authorization.k8s.io/v1
    70  metadata:
    71    # replace with non-default namespace name
    72    namespace: default
    73    name: external-resizer-cfg
    74  rules:
    75  - apiGroups: ["coordination.k8s.io"]
    76    resources: ["leases"]
    77    verbs: ["get", "watch", "list", "delete", "update", "create"]
    78  
    79  ---
    80  kind: RoleBinding
    81  apiVersion: rbac.authorization.k8s.io/v1
    82  metadata:
    83    name: csi-resizer-role-cfg
    84    # replace with non-default namespace name
    85    namespace: default
    86  subjects:
    87    - kind: ServiceAccount
    88      name: csi-resizer
    89      # replace with non-default namespace name
    90      namespace: default
    91  roleRef:
    92    kind: Role
    93    name: external-resizer-cfg
    94    apiGroup: rbac.authorization.k8s.io