deploy: allow RBD components to get ServiceAccounts

The provisioner and node-plugin have the capability to connect to Hashicorp Vault with a ServiceAccount from the Namespace where the PVC is created. This requires permissions to read the contents of the ServiceAccount from an other Namespace than where Ceph-CSI is deployed. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2024-11-22 06:10:22 +00:00 · 2021-06-24 12:39:40 +02:00 · 2021-06-24 12:39:40 +02:00 · 8662e01d2c
commit 8662e01d2c
parent 3d7d48a4aa
4 changed files with 12 additions and 0 deletions
--- a/charts/ceph-csi-rbd/templates/nodeplugin-clusterrole.yaml
+++ b/charts/ceph-csi-rbd/templates/nodeplugin-clusterrole.yaml
@ -22,4 +22,7 @@ rules:
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get"]
+  - apiGroups: [""]
+    resources: ["serviceaccounts"]
+    verbs: ["get"]
 {{- end -}}
--- a/charts/ceph-csi-rbd/templates/provisioner-clusterrole.yaml
+++ b/charts/ceph-csi-rbd/templates/provisioner-clusterrole.yaml
@ -51,6 +51,9 @@ rules:
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get"]
+  - apiGroups: [""]
+    resources: ["serviceaccounts"]
+    verbs: ["get"]
 {{- if .Values.provisioner.resizer.enabled }}
  - apiGroups: [""]
    resources: ["persistentvolumeclaims/status"]
--- a/deploy/rbd/kubernetes/csi-nodeplugin-rbac.yaml
+++ b/deploy/rbd/kubernetes/csi-nodeplugin-rbac.yaml
@ -19,6 +19,9 @@ rules:
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get"]
+  - apiGroups: [""]
+    resources: ["serviceaccounts"]
+    verbs: ["get"]
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
--- a/deploy/rbd/kubernetes/csi-provisioner-rbac.yaml
+++ b/deploy/rbd/kubernetes/csi-provisioner-rbac.yaml
@ -55,6 +55,9 @@ rules:
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get"]
+  - apiGroups: [""]
+    resources: ["serviceaccounts"]
+    verbs: ["get"]
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1