mirrors/ceph-csi
1
0
Fork 0
mirror of https://github.com/ceph/ceph-csi.git synced 2024-11-22 14:20:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

deploy: allow rbd nodeplugin to read Secrets from Tenants

Browse Source 
In order to fetch the Kubernetes Secret with the Vault Token for a
Tenant, the ClusterRole needs to allow reading Secrets from all
Kubernetes Namespaces (each Tenant has their own Namespace).

Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
Niels de Vos 2020-12-10 11:27:11 +01:00 committed by mergify[bot]
parent 648f9ccf31
commit cb1899b8c0
2 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
charts/ceph-csi-rbd/templates/nodeplugin-clusterrole.yaml
View File

@ -1,5 +1,4 @@
{{- if .Values.rbac.create -}} {{- if .Values.rbac.create -}}
{{- if .Values.topology.enabled }}
kind: ClusterRole kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
metadata: metadata:
@ -11,8 +10,12 @@ metadata:
release: {{ .Release.Name }} release: {{ .Release.Name }}
heritage: {{ .Release.Service }} heritage: {{ .Release.Service }}
rules: rules:
{{- if .Values.topology.enabled }}
- apiGroups: [""] - apiGroups: [""]
resources: ["nodes"] resources: ["nodes"]
verbs: ["get"] verbs: ["get"]
{{- end }} {{- end }}
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
{{- end -}} {{- end -}}

3
deploy/rbd/kubernetes/csi-nodeplugin-rbac.yaml
View File

@ -12,6 +12,9 @@ rules:
- apiGroups: [""] - apiGroups: [""]
resources: ["nodes"] resources: ["nodes"]
verbs: ["get"] verbs: ["get"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
--- ---
kind: ClusterRoleBinding kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1