mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-12-11 15:40:24 +00:00
3e9b438e7c
this allows the encryption KMS config to be granted secret access with a least privilges policy. Signed-off-by: Antoine C <hi@acolombier.dev>
28 lines
961 B
YAML
28 lines
961 B
YAML
{{- if .Values.rbac.create -}}
|
|
kind: ClusterRole
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}
|
|
labels:
|
|
app: {{ include "ceph-csi-cephfs.name" . }}
|
|
chart: {{ include "ceph-csi-cephfs.chart" . }}
|
|
component: {{ .Values.nodeplugin.name }}
|
|
release: {{ .Release.Name }}
|
|
heritage: {{ .Release.Service }}
|
|
{{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["nodes"]
|
|
verbs: ["get"]
|
|
# allow to read Vault Token and connection options from the Tenants namespace
|
|
- apiGroups: [""]
|
|
resources: ["configmaps"]
|
|
verbs: ["get"]
|
|
{{- if and .Values.encryptionKMSConfig .Values.encryptionKMSConfig.secretNamespace (not .Values.rbac.leastPrivileges) }}
|
|
# allow to read the encryption key used with the metadata KMS
|
|
- apiGroups: [""]
|
|
resources: ["secrets"]
|
|
verbs: ["get"]
|
|
{{- end -}}
|
|
{{- end -}}
|