mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-12-23 05:20:19 +00:00
10e4eee481
Nodeplugin needs below cluster roles: persistentvolumes: get volumeattachments: list, get These additional permissions are needed by the volume healer. Volume healer aims at fixing the volume health issues at the very startup time of the nodeplugin. As part of its operations, volume healer has to run through the list of volume attachments and understand details about each persistentvolume. The later commits will use these additional cluster roles. Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
44 lines
999 B
YAML
44 lines
999 B
YAML
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: rbd-csi-nodeplugin
|
|
---
|
|
kind: ClusterRole
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: rbd-csi-nodeplugin
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["nodes"]
|
|
verbs: ["get"]
|
|
# allow to read Vault Token and connection options from the Tenants namespace
|
|
- apiGroups: [""]
|
|
resources: ["secrets"]
|
|
verbs: ["get"]
|
|
- apiGroups: [""]
|
|
resources: ["configmaps"]
|
|
verbs: ["get"]
|
|
- apiGroups: [""]
|
|
resources: ["serviceaccounts"]
|
|
verbs: ["get"]
|
|
- apiGroups: [""]
|
|
resources: ["persistentvolumes"]
|
|
verbs: ["get"]
|
|
- apiGroups: ["storage.k8s.io"]
|
|
resources: ["volumeattachments"]
|
|
verbs: ["list", "get"]
|
|
---
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: rbd-csi-nodeplugin
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: rbd-csi-nodeplugin
|
|
namespace: default
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: rbd-csi-nodeplugin
|
|
apiGroup: rbac.authorization.k8s.io
|