From f4a0726226c4180c5173dd36b024fabab699c5c8 Mon Sep 17 00:00:00 2001 From: Madhu Rajanna Date: Wed, 27 Feb 2019 12:15:40 +0530 Subject: [PATCH] Fix rbac issue in rbd plugin remove unwanted rules and update rbac to have permission to modify endpoints and configmaps in the current namespace. Signed-off-by: Madhu Rajanna --- deploy/rbd/kubernetes/csi-attacher-rbac.yaml | 3 -- .../rbd/kubernetes/csi-provisioner-rbac.yaml | 41 +++++++++++++++---- 2 files changed, 32 insertions(+), 12 deletions(-) diff --git a/deploy/rbd/kubernetes/csi-attacher-rbac.yaml b/deploy/rbd/kubernetes/csi-attacher-rbac.yaml index 7160e293e..aaa596721 100644 --- a/deploy/rbd/kubernetes/csi-attacher-rbac.yaml +++ b/deploy/rbd/kubernetes/csi-attacher-rbac.yaml @@ -10,9 +10,6 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rbd-external-attacher-runner rules: - - apiGroups: [""] - resources: ["events"] - verbs: ["get", "list", "watch", "update"] - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "update"] diff --git a/deploy/rbd/kubernetes/csi-provisioner-rbac.yaml b/deploy/rbd/kubernetes/csi-provisioner-rbac.yaml index 71ef4f160..cfd113591 100644 --- a/deploy/rbd/kubernetes/csi-provisioner-rbac.yaml +++ b/deploy/rbd/kubernetes/csi-provisioner-rbac.yaml @@ -22,18 +22,9 @@ rules: - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] - - apiGroups: [""] - resources: ["endpoints"] - verbs: ["get", "create", "update"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshots"] verbs: ["get", "list", "watch", "update"] - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "list", "create", "delete"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotcontents"] verbs: ["create", "get", "list", "watch", "update", "delete"] @@ -57,3 +48,35 @@ roleRef: kind: ClusterRole name: rbd-external-provisioner-runner apiGroup: rbac.authorization.k8s.io + +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + # replace with non-default namespace name + namespace: default + name: rbd-external-provisioner-cfg +rules: + - apiGroups: [""] + resources: ["endpoints"] + verbs: ["get", "watch", "list", "delete", "update", "create"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch", "create", "delete"] + +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: rbd-csi-provisioner-role-cfg + # replace with non-default namespace name + namespace: default +subjects: + - kind: ServiceAccount + name: rbd-csi-provisioner + # replace with non-default namespace name + namespace: default +roleRef: + kind: Role + name: rbd-external-provisioner-cfg + apiGroup: rbac.authorization.k8s.io