deploy: allow rbd nodeplugin to read Secrets from Tenants

In order to fetch the Kubernetes Secret with the Vault Token for a
Tenant, the ClusterRole needs to allow reading Secrets from all
Kubernetes Namespaces (each Tenant has their own Namespace).

Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
Niels de Vos 2020-12-10 11:27:11 +01:00 committed by mergify[bot]
parent 648f9ccf31
commit cb1899b8c0
2 changed files with 7 additions and 1 deletions

View File

@ -1,5 +1,4 @@
{{- if .Values.rbac.create -}}
{{- if .Values.topology.enabled }}
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
@ -11,8 +10,12 @@ metadata:
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules:
{{- if .Values.topology.enabled }}
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get"]
{{- end }}
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
{{- end -}}

View File

@ -12,6 +12,9 @@ rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1