mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-09-19 15:09:56 +00:00
de2489ed7d
This release of snapshotter has a breaking change as mentioned in the release note: Refer# [1]: https://github.com/kubernetes-csi/external-snapshotter/releases/tag/v5.0.0 RBAC rules are also updated with this commit. Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
56 lines
1.1 KiB
YAML
56 lines
1.1 KiB
YAML
---
|
|
apiVersion: policy/v1beta1
|
|
kind: PodSecurityPolicy
|
|
metadata:
|
|
name: csi-snapshotter-psp
|
|
namespace: kube-system
|
|
spec:
|
|
allowPrivilegeEscalation: true
|
|
allowedCapabilities:
|
|
- "SYS_ADMIN"
|
|
fsGroup:
|
|
rule: RunAsAny
|
|
privileged: true
|
|
runAsUser:
|
|
rule: RunAsAny
|
|
seLinux:
|
|
rule: RunAsAny
|
|
supplementalGroups:
|
|
rule: RunAsAny
|
|
volumes:
|
|
- "configMap"
|
|
- "emptyDir"
|
|
- "secret"
|
|
- "projected"
|
|
- "hostPath"
|
|
|
|
---
|
|
kind: Role
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: csi-snapshotter-psp
|
|
# replace with non-kube-system namespace name
|
|
namespace: kube-system
|
|
rules:
|
|
- apiGroups: ["policy"]
|
|
resources: ["podsecuritypolicies"]
|
|
verbs: ["use"]
|
|
resourceNames: ["csi-snapshotter-psp"]
|
|
|
|
---
|
|
kind: RoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: csi-snapshotter-psp
|
|
# replace with non-kube-system namespace name
|
|
namespace: kube-system
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: snapshot-controller
|
|
# replace with non-kube-system namespace name
|
|
namespace: kube-system
|
|
roleRef:
|
|
kind: Role
|
|
name: csi-snapshotter-psp
|
|
apiGroup: rbac.authorization.k8s.io
|