k8s.io/kubernetes@v1.29.3/test/e2e/testing-manifests/storage-csi/gce-pd/csi-controller-rbac.yaml (about) 1 ##### Controller Service Account, Roles, Rolebindings 2 apiVersion: v1 3 kind: ServiceAccount 4 metadata: 5 name: csi-gce-pd-controller-sa 6 7 --- 8 # xref: https://github.com/kubernetes-csi/external-provisioner/blob/master/deploy/kubernetes/rbac.yaml 9 kind: ClusterRole 10 apiVersion: rbac.authorization.k8s.io/v1 11 metadata: 12 name: csi-gce-pd-provisioner-role 13 rules: 14 - apiGroups: [""] 15 resources: ["persistentvolumes"] 16 verbs: ["get", "list", "watch", "create", "delete"] 17 - apiGroups: [""] 18 resources: ["persistentvolumeclaims"] 19 verbs: ["get", "list", "watch", "update"] 20 - apiGroups: ["storage.k8s.io"] 21 resources: ["storageclasses"] 22 verbs: ["get", "list", "watch"] 23 - apiGroups: [""] 24 resources: ["events"] 25 verbs: ["list", "watch", "create", "update", "patch"] 26 - apiGroups: ["storage.k8s.io"] 27 resources: ["csinodes"] 28 verbs: ["get", "list", "watch"] 29 - apiGroups: [""] 30 resources: ["nodes"] 31 verbs: ["get", "list", "watch"] 32 - apiGroups: ["snapshot.storage.k8s.io"] 33 resources: ["volumesnapshots"] 34 verbs: ["get", "list"] 35 - apiGroups: ["snapshot.storage.k8s.io"] 36 resources: ["volumesnapshotcontents"] 37 verbs: ["get", "list"] 38 39 --- 40 41 kind: ClusterRoleBinding 42 apiVersion: rbac.authorization.k8s.io/v1 43 metadata: 44 name: csi-gce-pd-controller-provisioner-binding 45 subjects: 46 - kind: ServiceAccount 47 name: csi-gce-pd-controller-sa 48 roleRef: 49 kind: ClusterRole 50 name: csi-gce-pd-provisioner-role 51 apiGroup: rbac.authorization.k8s.io 52 53 --- 54 # xref: https://github.com/kubernetes-csi/external-attacher/blob/master/deploy/kubernetes/rbac.yaml 55 kind: ClusterRole 56 apiVersion: rbac.authorization.k8s.io/v1 57 metadata: 58 name: csi-gce-pd-attacher-role 59 rules: 60 - apiGroups: [""] 61 resources: ["persistentvolumes"] 62 verbs: ["get", "list", "watch", "update", "patch"] 63 - apiGroups: [""] 64 resources: ["nodes"] 65 verbs: ["get", "list", "watch"] 66 - apiGroups: ["storage.k8s.io"] 67 resources: ["csinodes"] 68 verbs: ["get", "list", "watch"] 69 - apiGroups: ["storage.k8s.io"] 70 resources: ["volumeattachments"] 71 verbs: ["get", "list", "watch", "update", "patch"] 72 - apiGroups: ["storage.k8s.io"] 73 resources: ["volumeattachments/status"] 74 verbs: ["patch"] 75 76 --- 77 78 kind: ClusterRoleBinding 79 apiVersion: rbac.authorization.k8s.io/v1 80 metadata: 81 name: csi-gce-pd-controller-attacher-binding 82 subjects: 83 - kind: ServiceAccount 84 name: csi-gce-pd-controller-sa 85 roleRef: 86 kind: ClusterRole 87 name: csi-gce-pd-attacher-role 88 apiGroup: rbac.authorization.k8s.io 89 90 --- 91 92 # Resizer must be able to work with PVCs, PVs, SCs. 93 kind: ClusterRole 94 apiVersion: rbac.authorization.k8s.io/v1 95 metadata: 96 name: csi-gce-pd-resizer-role 97 rules: 98 - apiGroups: [""] 99 resources: ["persistentvolumes"] 100 verbs: ["get", "list", "watch", "update", "patch"] 101 - apiGroups: [""] 102 resources: ["persistentvolumeclaims"] 103 verbs: ["get", "list", "watch"] 104 - apiGroups: [""] 105 resources: ["persistentvolumeclaims/status"] 106 verbs: ["update", "patch"] 107 - apiGroups: [""] 108 resources: ["events"] 109 verbs: ["list", "watch", "create", "update", "patch"] 110 111 --- 112 kind: ClusterRoleBinding 113 apiVersion: rbac.authorization.k8s.io/v1 114 metadata: 115 name: csi-gce-pd-resizer-binding 116 subjects: 117 - kind: ServiceAccount 118 name: csi-gce-pd-controller-sa 119 roleRef: 120 kind: ClusterRole 121 name: csi-gce-pd-resizer-role 122 apiGroup: rbac.authorization.k8s.io 123 124 --- 125 # xref: https://github.com/kubernetes-csi/external-snapshotter/blob/master/deploy/kubernetes/csi-snapshotter/rbac-csi-snapshotter.yaml 126 kind: ClusterRole 127 apiVersion: rbac.authorization.k8s.io/v1 128 metadata: 129 name: csi-gce-pd-snapshotter-role 130 rules: 131 - apiGroups: [""] 132 resources: ["events"] 133 verbs: ["list", "watch", "create", "update", "patch"] 134 - apiGroups: ["snapshot.storage.k8s.io"] 135 resources: ["volumesnapshotclasses"] 136 verbs: ["get", "list", "watch"] 137 - apiGroups: ["snapshot.storage.k8s.io"] 138 resources: ["volumesnapshotcontents"] 139 verbs: ["get", "list", "watch", "update", "delete", "patch"] 140 - apiGroups: ["snapshot.storage.k8s.io"] 141 resources: ["volumesnapshotcontents/status"] 142 verbs: ["update", "patch"] 143 --- 144 145 kind: ClusterRoleBinding 146 apiVersion: rbac.authorization.k8s.io/v1 147 metadata: 148 name: csi-gce-pd-controller-snapshotter-binding 149 subjects: 150 - kind: ServiceAccount 151 name: csi-gce-pd-controller-sa 152 roleRef: 153 kind: ClusterRole 154 name: csi-gce-pd-snapshotter-role 155 apiGroup: rbac.authorization.k8s.io 156 --- 157 158 kind: Role 159 apiVersion: rbac.authorization.k8s.io/v1 160 metadata: 161 name: csi-gce-pd-leaderelection-role 162 namespace: gce-pd-csi-driver 163 labels: 164 k8s-app: gcp-compute-persistent-disk-csi-driver 165 rules: 166 - apiGroups: ["coordination.k8s.io"] 167 resources: ["leases"] 168 verbs: ["get", "watch", "list", "delete", "update", "create"] 169 --- 170 171 kind: RoleBinding 172 apiVersion: rbac.authorization.k8s.io/v1 173 metadata: 174 name: csi-gce-pd-controller-leaderelection-binding 175 namespace: gce-pd-csi-driver 176 labels: 177 k8s-app: gcp-compute-persistent-disk-csi-driver 178 subjects: 179 - kind: ServiceAccount 180 name: csi-gce-pd-controller-sa 181 roleRef: 182 kind: Role 183 name: csi-gce-pd-leaderelection-role 184 apiGroup: rbac.authorization.k8s.io 185 --- 186 187 # privileged Pod Security Policy, previously defined via PrivilegedTestPSPClusterRoleBinding() 188 kind: ClusterRoleBinding 189 apiVersion: rbac.authorization.k8s.io/v1 190 metadata: 191 name: psp-csi-controller-driver-registrar-role 192 subjects: 193 - kind: ServiceAccount 194 name: csi-gce-pd-controller-sa 195 roleRef: 196 kind: ClusterRole 197 name: e2e-test-privileged-psp 198 apiGroup: rbac.authorization.k8s.io