mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-11-26 16:20:28 +00:00
8662e01d2c
The provisioner and node-plugin have the capability to connect to Hashicorp Vault with a ServiceAccount from the Namespace where the PVC is created. This requires permissions to read the contents of the ServiceAccount from an other Namespace than where Ceph-CSI is deployed. Signed-off-by: Niels de Vos <ndevos@redhat.com>
38 lines
825 B
YAML
38 lines
825 B
YAML
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: rbd-csi-nodeplugin
|
|
---
|
|
kind: ClusterRole
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: rbd-csi-nodeplugin
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["nodes"]
|
|
verbs: ["get"]
|
|
# allow to read Vault Token and connection options from the Tenants namespace
|
|
- apiGroups: [""]
|
|
resources: ["secrets"]
|
|
verbs: ["get"]
|
|
- apiGroups: [""]
|
|
resources: ["configmaps"]
|
|
verbs: ["get"]
|
|
- apiGroups: [""]
|
|
resources: ["serviceaccounts"]
|
|
verbs: ["get"]
|
|
---
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: rbd-csi-nodeplugin
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: rbd-csi-nodeplugin
|
|
namespace: default
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: rbd-csi-nodeplugin
|
|
apiGroup: rbac.authorization.k8s.io
|