From 4f78bf06901162e97faddfca01aa2ba0ccdc9d78 Mon Sep 17 00:00:00 2001 From: Steffen Illium Date: Thu, 25 Apr 2024 09:49:26 +0200 Subject: [PATCH] source and content --- .../04-rook-ceph/base/nfs-rbac.yaml | 116 ++++++++++++++++++ 1 file changed, 116 insertions(+) diff --git a/infrastructure/04-rook-ceph/base/nfs-rbac.yaml b/infrastructure/04-rook-ceph/base/nfs-rbac.yaml index e69de29..b02f4f5 100644 --- a/infrastructure/04-rook-ceph/base/nfs-rbac.yaml +++ b/infrastructure/04-rook-ceph/base/nfs-rbac.yaml @@ -0,0 +1,116 @@ +# https://github.com/rook/rook/blob/master/deploy/examples/csi/nfs/rbac.yaml +#################################################################################################### +# These RBAC resources are required to allow Rook to run the NFS export CSI driver components. +#################################################################################################### +--- +# TODO: remove this, once https://github.com/rook/rook/issues/10141 +# is resolved. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ceph-nfs-csi-nodeplugin + labels: + operator: rook + storage-backend: ceph + app.kubernetes.io/part-of: rook-ceph-operator +rules: + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get"] +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ceph-nfs-external-provisioner-runner +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "update", "delete", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "patch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["patch"] +--- +# TODO: remove this, once https://github.com/rook/rook/issues/10141 +# is resolved. +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ceph-nfs-csi-nodeplugin-role +subjects: + - kind: ServiceAccount + name: rook-csi-nfs-plugin-sa + namespace: rook-ceph # namespace:operator +roleRef: + kind: ClusterRole + name: ceph-nfs-csi-nodeplugin + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ceph-nfs-csi-provisioner-role +subjects: + - kind: ServiceAccount + name: rook-csi-nfs-provisioner-sa + namespace: rook-ceph # namespace:operator +roleRef: + kind: ClusterRole + name: ceph-nfs-external-provisioner-runner + apiGroup: rbac.authorization.k8s.io +--- +# Service account for the NFS CSI driver +apiVersion: v1 +kind: ServiceAccount +metadata: + name: rook-csi-nfs-plugin-sa + namespace: rook-ceph # namespace:operator +# imagePullSecrets: +# - name: my-registry-secret +--- +# Service account for the NFS CSI provisioner +apiVersion: v1 +kind: ServiceAccount +metadata: + name: rook-csi-nfs-provisioner-sa + namespace: rook-ceph # namespace:operator +# imagePullSecrets: +# - name: my-registry-secret \ No newline at end of file