k8s.io/kubernetes@v1.31.0-alpha.0.0.20240520171757-56147500dadc/test/e2e/testing-manifests/storage-csi/external-snapshotter/csi-snapshotter/rbac-csi-snapshotter.yaml (about) 1 # Do not edit, downloaded from https://github.com/kubernetes-csi/external-snapshotter/raw/v7.0.1/deploy/kubernetes/csi-snapshotter/rbac-csi-snapshotter.yaml 2 # for csi-driver-host-path release-1.13 3 # by ./update-hostpath.sh 4 # 5 # Together with the RBAC file for external-provisioner, this YAML file 6 # contains all RBAC objects that are necessary to run external CSI 7 # snapshotter. 8 # 9 # In production, each CSI driver deployment has to be customized: 10 # - to avoid conflicts, use non-default namespace and different names 11 # for non-namespaced entities like the ClusterRole 12 # - optionally rename the non-namespaced ClusterRole if there 13 # are conflicts with other deployments 14 15 --- 16 apiVersion: v1 17 kind: ServiceAccount 18 metadata: 19 name: csi-snapshotter 20 21 --- 22 kind: ClusterRole 23 apiVersion: rbac.authorization.k8s.io/v1 24 metadata: 25 # rename if there are conflicts 26 name: external-snapshotter-runner 27 rules: 28 - apiGroups: [""] 29 resources: ["events"] 30 verbs: ["list", "watch", "create", "update", "patch"] 31 # Secret permission is optional. 32 # Enable it if your driver needs secret. 33 # For example, `csi.storage.k8s.io/snapshotter-secret-name` is set in VolumeSnapshotClass. 34 # See https://kubernetes-csi.github.io/docs/secrets-and-credentials.html for more details. 35 # - apiGroups: [""] 36 # resources: ["secrets"] 37 # verbs: ["get", "list"] 38 - apiGroups: ["snapshot.storage.k8s.io"] 39 resources: ["volumesnapshotclasses"] 40 verbs: ["get", "list", "watch"] 41 - apiGroups: ["snapshot.storage.k8s.io"] 42 resources: ["volumesnapshots"] 43 verbs: ["get", "list", "watch", "update", "patch", "create"] 44 - apiGroups: ["snapshot.storage.k8s.io"] 45 resources: ["volumesnapshotcontents"] 46 verbs: ["get", "list", "watch", "update", "patch", "create"] 47 - apiGroups: ["snapshot.storage.k8s.io"] 48 resources: ["volumesnapshotcontents/status"] 49 verbs: ["update", "patch"] 50 - apiGroups: ["groupsnapshot.storage.k8s.io"] 51 resources: ["volumegroupsnapshotclasses"] 52 verbs: ["get", "list", "watch"] 53 - apiGroups: ["groupsnapshot.storage.k8s.io"] 54 resources: ["volumegroupsnapshotcontents"] 55 verbs: ["get", "list", "watch", "update", "patch"] 56 - apiGroups: ["groupsnapshot.storage.k8s.io"] 57 resources: ["volumegroupsnapshotcontents/status"] 58 verbs: ["update", "patch"] 59 --- 60 kind: ClusterRoleBinding 61 apiVersion: rbac.authorization.k8s.io/v1 62 metadata: 63 name: csi-snapshotter-role 64 subjects: 65 - kind: ServiceAccount 66 name: csi-snapshotter 67 # replace with non-default namespace name 68 namespace: default 69 roleRef: 70 kind: ClusterRole 71 # change the name also here if the ClusterRole gets renamed 72 name: external-snapshotter-runner 73 apiGroup: rbac.authorization.k8s.io 74 75 --- 76 kind: Role 77 apiVersion: rbac.authorization.k8s.io/v1 78 metadata: 79 namespace: default # TODO: replace with the namespace you want for your sidecar 80 name: external-snapshotter-leaderelection 81 rules: 82 - apiGroups: ["coordination.k8s.io"] 83 resources: ["leases"] 84 verbs: ["get", "watch", "list", "delete", "update", "create"] 85 86 --- 87 kind: RoleBinding 88 apiVersion: rbac.authorization.k8s.io/v1 89 metadata: 90 name: external-snapshotter-leaderelection 91 namespace: default # TODO: replace with the namespace you want for your sidecar 92 subjects: 93 - kind: ServiceAccount 94 name: csi-snapshotter 95 namespace: default # TODO: replace with the namespace you want for your sidecar 96 roleRef: 97 kind: Role 98 name: external-snapshotter-leaderelection 99 apiGroup: rbac.authorization.k8s.io 100