k8s.io/kubernetes@v1.29.3/test/e2e/testing-manifests/storage-csi/external-resizer/rbac.yaml (about) 1 # Do not edit, downloaded from https://github.com/kubernetes-csi/external-resizer/raw/v1.4.0/deploy/kubernetes//rbac.yaml 2 # for csi-driver-host-path v1.8.0 3 # by ./update-hostpath.sh 4 # 5 # This YAML file contains all RBAC objects that are necessary to run external 6 # CSI resizer. 7 # 8 # In production, each CSI driver deployment has to be customized: 9 # - to avoid conflicts, use non-default namespace and different names 10 # for non-namespaced entities like the ClusterRole 11 # - decide whether the deployment replicates the external CSI 12 # resizer, in which case leadership election must be enabled; 13 # this influences the RBAC setup, see below 14 15 apiVersion: v1 16 kind: ServiceAccount 17 metadata: 18 name: csi-resizer 19 # replace with non-default namespace name 20 namespace: default 21 22 --- 23 # Resizer must be able to work with PVCs, PVs, SCs. 24 kind: ClusterRole 25 apiVersion: rbac.authorization.k8s.io/v1 26 metadata: 27 name: external-resizer-runner 28 rules: 29 # The following rule should be uncommented for plugins that require secrets 30 # for provisioning. 31 # - apiGroups: [""] 32 # resources: ["secrets"] 33 # verbs: ["get", "list", "watch"] 34 - apiGroups: [""] 35 resources: ["persistentvolumes"] 36 verbs: ["get", "list", "watch", "patch"] 37 - apiGroups: [""] 38 resources: ["persistentvolumeclaims"] 39 verbs: ["get", "list", "watch"] 40 - apiGroups: [""] 41 resources: ["pods"] 42 verbs: ["get", "list", "watch"] 43 - apiGroups: [""] 44 resources: ["persistentvolumeclaims/status"] 45 verbs: ["patch"] 46 - apiGroups: [""] 47 resources: ["events"] 48 verbs: ["list", "watch", "create", "update", "patch"] 49 50 --- 51 kind: ClusterRoleBinding 52 apiVersion: rbac.authorization.k8s.io/v1 53 metadata: 54 name: csi-resizer-role 55 subjects: 56 - kind: ServiceAccount 57 name: csi-resizer 58 # replace with non-default namespace name 59 namespace: default 60 roleRef: 61 kind: ClusterRole 62 name: external-resizer-runner 63 apiGroup: rbac.authorization.k8s.io 64 65 --- 66 # Resizer must be able to work with end point in current namespace 67 # if (and only if) leadership election is enabled 68 kind: Role 69 apiVersion: rbac.authorization.k8s.io/v1 70 metadata: 71 # replace with non-default namespace name 72 namespace: default 73 name: external-resizer-cfg 74 rules: 75 - apiGroups: ["coordination.k8s.io"] 76 resources: ["leases"] 77 verbs: ["get", "watch", "list", "delete", "update", "create"] 78 79 --- 80 kind: RoleBinding 81 apiVersion: rbac.authorization.k8s.io/v1 82 metadata: 83 name: csi-resizer-role-cfg 84 # replace with non-default namespace name 85 namespace: default 86 subjects: 87 - kind: ServiceAccount 88 name: csi-resizer 89 # replace with non-default namespace name 90 namespace: default 91 roleRef: 92 kind: Role 93 name: external-resizer-cfg 94 apiGroup: rbac.authorization.k8s.io