k8s.io/kubernetes@v1.31.0-alpha.0.0.20240520171757-56147500dadc/test/e2e/testing-manifests/storage-csi/external-provisioner/rbac.yaml

k8s.io/kubernetes@v1.31.0-alpha.0.0.20240520171757-56147500dadc/test/e2e/testing-manifests/storage-csi/external-provisioner/rbac.yaml (about)

     1  # Do not edit, downloaded from https://github.com/kubernetes-csi/external-provisioner/raw/v4.0.0/deploy/kubernetes//rbac.yaml
     2  # for csi-driver-host-path release-1.13
     3  # by ./update-hostpath.sh
     4  #
     5  # This YAML file contains all RBAC objects that are necessary to run external
     6  # CSI provisioner.
     7  #
     8  # In production, each CSI driver deployment has to be customized:
     9  # - to avoid conflicts, use non-default namespace and different names
    10  #   for non-namespaced entities like the ClusterRole
    11  # - decide whether the deployment replicates the external CSI
    12  #   provisioner, in which case leadership election must be enabled;
    13  #   this influences the RBAC setup, see below
    14  
    15  apiVersion: v1
    16  kind: ServiceAccount
    17  metadata:
    18    name: csi-provisioner
    19    # replace with non-default namespace name
    20    namespace: default
    21  
    22  ---
    23  kind: ClusterRole
    24  apiVersion: rbac.authorization.k8s.io/v1
    25  metadata:
    26    name: external-provisioner-runner
    27  rules:
    28    # The following rule should be uncommented for plugins that require secrets
    29    # for provisioning.
    30    # - apiGroups: [""]
    31    #   resources: ["secrets"]
    32    #   verbs: ["get", "list"]
    33    - apiGroups: [""]
    34      resources: ["persistentvolumes"]
    35      verbs: ["get", "list", "watch", "create", "delete"]
    36    - apiGroups: [""]
    37      resources: ["persistentvolumeclaims"]
    38      verbs: ["get", "list", "watch", "update"]
    39    - apiGroups: ["storage.k8s.io"]
    40      resources: ["storageclasses"]
    41      verbs: ["get", "list", "watch"]
    42    - apiGroups: [""]
    43      resources: ["events"]
    44      verbs: ["list", "watch", "create", "update", "patch"]
    45    - apiGroups: ["snapshot.storage.k8s.io"]
    46      resources: ["volumesnapshots"]
    47      verbs: ["get", "list"]
    48    - apiGroups: ["snapshot.storage.k8s.io"]
    49      resources: ["volumesnapshotcontents"]
    50      verbs: ["get", "list"]
    51    - apiGroups: ["storage.k8s.io"]
    52      resources: ["csinodes"]
    53      verbs: ["get", "list", "watch"]
    54    - apiGroups: [""]
    55      resources: ["nodes"]
    56      verbs: ["get", "list", "watch"]
    57    # Access to volumeattachments is only needed when the CSI driver
    58    # has the PUBLISH_UNPUBLISH_VOLUME controller capability.
    59    # In that case, external-provisioner will watch volumeattachments
    60    # to determine when it is safe to delete a volume.
    61    - apiGroups: ["storage.k8s.io"]
    62      resources: ["volumeattachments"]
    63      verbs: ["get", "list", "watch"]
    64    # (Alpha) Access to referencegrants is only needed when the CSI driver
    65    # has the CrossNamespaceVolumeDataSource controller capability.
    66    # In that case, external-provisioner requires "get", "list", "watch" 
    67    # permissions  for "referencegrants" on "gateway.networking.k8s.io".
    68    #- apiGroups: ["gateway.networking.k8s.io"]
    69    #  resources: ["referencegrants"]
    70    #  verbs: ["get", "list", "watch"]
    71  
    72  ---
    73  kind: ClusterRoleBinding
    74  apiVersion: rbac.authorization.k8s.io/v1
    75  metadata:
    76    name: csi-provisioner-role
    77  subjects:
    78    - kind: ServiceAccount
    79      name: csi-provisioner
    80      # replace with non-default namespace name
    81      namespace: default
    82  roleRef:
    83    kind: ClusterRole
    84    name: external-provisioner-runner
    85    apiGroup: rbac.authorization.k8s.io
    86  
    87  ---
    88  # Provisioner must be able to work with endpoints in current namespace
    89  # if (and only if) leadership election is enabled
    90  kind: Role
    91  apiVersion: rbac.authorization.k8s.io/v1
    92  metadata:
    93    # replace with non-default namespace name
    94    namespace: default
    95    name: external-provisioner-cfg
    96  rules:
    97  # Only one of the following rules for endpoints or leases is required based on
    98  # what is set for `--leader-election-type`. Endpoints are deprecated in favor of Leases.
    99  - apiGroups: ["coordination.k8s.io"]
   100    resources: ["leases"]
   101    verbs: ["get", "watch", "list", "delete", "update", "create"]
   102  # Permissions for CSIStorageCapacity are only needed enabling the publishing
   103  # of storage capacity information.
   104  - apiGroups: ["storage.k8s.io"]
   105    resources: ["csistoragecapacities"]
   106    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
   107  # The GET permissions below are needed for walking up the ownership chain
   108  # for CSIStorageCapacity. They are sufficient for deployment via
   109  # StatefulSet (only needs to get Pod) and Deployment (needs to get
   110  # Pod and then ReplicaSet to find the Deployment).
   111  - apiGroups: [""]
   112    resources: ["pods"]
   113    verbs: ["get"]
   114  - apiGroups: ["apps"]
   115    resources: ["replicasets"]
   116    verbs: ["get"]
   117  
   118  ---
   119  kind: RoleBinding
   120  apiVersion: rbac.authorization.k8s.io/v1
   121  metadata:
   122    name: csi-provisioner-role-cfg
   123    # replace with non-default namespace name
   124    namespace: default
   125  subjects:
   126    - kind: ServiceAccount
   127      name: csi-provisioner
   128      # replace with non-default namespace name
   129      namespace: default
   130  roleRef:
   131    kind: Role
   132    name: external-provisioner-cfg
   133    apiGroup: rbac.authorization.k8s.io