k8s.io/kubernetes@v1.31.0-alpha.0.0.20240520171757-56147500dadc/test/e2e/testing-manifests/storage-csi/external-resizer/rbac.yaml

k8s.io/kubernetes@v1.31.0-alpha.0.0.20240520171757-56147500dadc/test/e2e/testing-manifests/storage-csi/external-resizer/rbac.yaml (about)

     1  # Do not edit, downloaded from https://github.com/kubernetes-csi/external-resizer/raw/v1.10.0/deploy/kubernetes//rbac.yaml
     2  # for csi-driver-host-path release-1.13
     3  # by ./update-hostpath.sh
     4  #
     5  # This YAML file contains all RBAC objects that are necessary to run external
     6  # CSI resizer.
     7  #
     8  # In production, each CSI driver deployment has to be customized:
     9  # - to avoid conflicts, use non-default namespace and different names
    10  #   for non-namespaced entities like the ClusterRole
    11  # - decide whether the deployment replicates the external CSI
    12  #   resizer, in which case leadership election must be enabled;
    13  #   this influences the RBAC setup, see below
    14  
    15  apiVersion: v1
    16  kind: ServiceAccount
    17  metadata:
    18    name: csi-resizer
    19    # replace with non-default namespace name
    20    namespace: default
    21  
    22  ---
    23  # Resizer must be able to work with PVCs, PVs, SCs.
    24  kind: ClusterRole
    25  apiVersion: rbac.authorization.k8s.io/v1
    26  metadata:
    27    name: external-resizer-runner
    28  rules:
    29    # The following rule should be uncommented for plugins that require secrets
    30    # for provisioning.
    31    # - apiGroups: [""]
    32    #   resources: ["secrets"]
    33    #   verbs: ["get", "list", "watch"]
    34    - apiGroups: [""]
    35      resources: ["persistentvolumes"]
    36      verbs: ["get", "list", "watch", "patch"]
    37    - apiGroups: [""]
    38      resources: ["persistentvolumeclaims"]
    39      verbs: ["get", "list", "watch"]
    40    - apiGroups: [""]
    41      resources: ["pods"]
    42      verbs: ["get", "list", "watch"]
    43    - apiGroups: [""]
    44      resources: ["persistentvolumeclaims/status"]
    45      verbs: ["patch"]
    46    - apiGroups: [""]
    47      resources: ["events"]
    48      verbs: ["list", "watch", "create", "update", "patch"]
    49    # only required if enabling the alpha volume modify feature
    50    - apiGroups: ["storage.k8s.io"]
    51      resources: ["volumeattributesclasses"]
    52      verbs: ["get", "list", "watch"]
    53  
    54  ---
    55  kind: ClusterRoleBinding
    56  apiVersion: rbac.authorization.k8s.io/v1
    57  metadata:
    58    name: csi-resizer-role
    59  subjects:
    60    - kind: ServiceAccount
    61      name: csi-resizer
    62      # replace with non-default namespace name
    63      namespace: default
    64  roleRef:
    65    kind: ClusterRole
    66    name: external-resizer-runner
    67    apiGroup: rbac.authorization.k8s.io
    68  
    69  ---
    70  # Resizer must be able to work with `leases` in current namespace
    71  # if (and only if) leadership election is enabled
    72  kind: Role
    73  apiVersion: rbac.authorization.k8s.io/v1
    74  metadata:
    75    # replace with non-default namespace name
    76    namespace: default
    77    name: external-resizer-cfg
    78  rules:
    79  - apiGroups: ["coordination.k8s.io"]
    80    resources: ["leases"]
    81    verbs: ["get", "watch", "list", "delete", "update", "create"]
    82  
    83  ---
    84  kind: RoleBinding
    85  apiVersion: rbac.authorization.k8s.io/v1
    86  metadata:
    87    name: csi-resizer-role-cfg
    88    # replace with non-default namespace name
    89    namespace: default
    90  subjects:
    91    - kind: ServiceAccount
    92      name: csi-resizer
    93      # replace with non-default namespace name
    94      namespace: default
    95  roleRef:
    96    kind: Role
    97    name: external-resizer-cfg
    98    apiGroup: rbac.authorization.k8s.io