charts/rook-ceph/templates/clusterrolebinding.yaml - atmosphere - Gitiles

 {{- if .Values.rbacEnable }}
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-system
   labels:
     operator: rook
     storage-backend: ceph
     {{- include "library.rook-ceph.labels" . | nindent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: rook-ceph-system
 subjects:
   - kind: ServiceAccount
     name: rook-ceph-system
     namespace: {{ .Release.Namespace }} # namespace:operator
 ---
 # Grant the rook system daemons cluster-wide access to manage the Rook CRDs, PVCs, and storage classes
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-global
   labels:
     operator: rook
     storage-backend: ceph
     {{- include "library.rook-ceph.labels" . | nindent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: rook-ceph-global
 subjects:
 - kind: ServiceAccount
   name: rook-ceph-system
   namespace: {{ .Release.Namespace }} # namespace:operator
 ---
 kind: ClusterRoleBinding
 # Give Rook-Ceph Operator permissions to provision ObjectBuckets in response to ObjectBucketClaims.
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-object-bucket
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: rook-ceph-object-bucket
 subjects:
   - kind: ServiceAccount
     name: rook-ceph-system
     namespace: {{ .Release.Namespace }} # namespace:operator
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rbd-csi-nodeplugin
 subjects:
   - kind: ServiceAccount
     name: rook-csi-rbd-plugin-sa
     namespace: {{ .Release.Namespace }} # namespace:operator
 roleRef:
   kind: ClusterRole
   name: rbd-csi-nodeplugin
   apiGroup: rbac.authorization.k8s.io
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: cephfs-csi-provisioner-role
 subjects:
   - kind: ServiceAccount
     name: rook-csi-cephfs-provisioner-sa
     namespace: {{ .Release.Namespace }} # namespace:operator
 roleRef:
   kind: ClusterRole
   name: cephfs-external-provisioner-runner
   apiGroup: rbac.authorization.k8s.io
 ---
 # This is required by operator-sdk to map the cluster/clusterrolebindings with SA
 # otherwise operator-sdk will create a individual file for these.
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: cephfs-csi-nodeplugin-role
 subjects:
   - kind: ServiceAccount
     name: rook-csi-cephfs-plugin-sa
     namespace: {{ .Release.Namespace }} # namespace:operator
 roleRef:
   kind: ClusterRole
   name: cephfs-csi-nodeplugin
   apiGroup: rbac.authorization.k8s.io
 ---
 {{- if .Values.csi.nfs.enabled }}
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: ceph-nfs-csi-provisioner-role
 subjects:
   - kind: ServiceAccount
     name: rook-csi-nfs-provisioner-sa
     namespace: {{ .Release.Namespace }} # namespace:operator
 roleRef:
   kind: ClusterRole
   name: ceph-nfs-external-provisioner-runner
   apiGroup: rbac.authorization.k8s.io
 ---
 # TODO: remove this, once https://github.com/rook/rook/issues/10141
 # is resolved.
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: ceph-nfs-csi-nodeplugin-role
 subjects:
   - kind: ServiceAccount
     name: rook-csi-nfs-plugin-sa
     namespace: {{ .Release.Namespace }} # namespace:operator
 roleRef:
   kind: ClusterRole
   name: ceph-nfs-csi-nodeplugin
   apiGroup: rbac.authorization.k8s.io
 ---
 {{ end }}
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rbd-csi-provisioner-role
 subjects:
   - kind: ServiceAccount
     name: rook-csi-rbd-provisioner-sa
     namespace: {{ .Release.Namespace }} # namespace:operator
 roleRef:
   kind: ClusterRole
   name: rbd-external-provisioner-runner
   apiGroup: rbac.authorization.k8s.io
 ---
 # RBAC for ceph cosi driver service account
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: objectstorage-provisioner-role-binding
   labels:
     app.kubernetes.io/part-of: container-object-storage-interface
     app.kubernetes.io/component: driver-ceph
     app.kubernetes.io/name: cosi-driver-ceph
 subjects:
   - kind: ServiceAccount
     name: objectstorage-provisioner
     namespace: {{ .Release.Namespace }} # namespace:operator
 roleRef:
   kind: ClusterRole
   name: objectstorage-provisioner-role
   apiGroup: rbac.authorization.k8s.io
 {{- end }}
	{{- if .Values.rbacEnable }}
	kind: ClusterRoleBinding
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	name: rook-ceph-system
	labels:
	operator: rook
	storage-backend: ceph
	{{- include "library.rook-ceph.labels" . \| nindent 4 }}
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: rook-ceph-system
	subjects:
	- kind: ServiceAccount
	name: rook-ceph-system
	namespace: {{ .Release.Namespace }} # namespace:operator
	---
	# Grant the rook system daemons cluster-wide access to manage the Rook CRDs, PVCs, and storage classes
	kind: ClusterRoleBinding
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	name: rook-ceph-global
	labels:
	operator: rook
	storage-backend: ceph
	{{- include "library.rook-ceph.labels" . \| nindent 4 }}
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: rook-ceph-global
	subjects:
	- kind: ServiceAccount
	name: rook-ceph-system
	namespace: {{ .Release.Namespace }} # namespace:operator
	---
	kind: ClusterRoleBinding
	# Give Rook-Ceph Operator permissions to provision ObjectBuckets in response to ObjectBucketClaims.
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	name: rook-ceph-object-bucket
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: rook-ceph-object-bucket
	subjects:
	- kind: ServiceAccount
	name: rook-ceph-system
	namespace: {{ .Release.Namespace }} # namespace:operator
	---
	kind: ClusterRoleBinding
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	name: rbd-csi-nodeplugin
	subjects:
	- kind: ServiceAccount
	name: rook-csi-rbd-plugin-sa
	namespace: {{ .Release.Namespace }} # namespace:operator
	roleRef:
	kind: ClusterRole
	name: rbd-csi-nodeplugin
	apiGroup: rbac.authorization.k8s.io
	---
	kind: ClusterRoleBinding
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	name: cephfs-csi-provisioner-role
	subjects:
	- kind: ServiceAccount
	name: rook-csi-cephfs-provisioner-sa
	namespace: {{ .Release.Namespace }} # namespace:operator
	roleRef:
	kind: ClusterRole
	name: cephfs-external-provisioner-runner
	apiGroup: rbac.authorization.k8s.io
	---
	# This is required by operator-sdk to map the cluster/clusterrolebindings with SA
	# otherwise operator-sdk will create a individual file for these.
	kind: ClusterRoleBinding
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	name: cephfs-csi-nodeplugin-role
	subjects:
	- kind: ServiceAccount
	name: rook-csi-cephfs-plugin-sa
	namespace: {{ .Release.Namespace }} # namespace:operator
	roleRef:
	kind: ClusterRole
	name: cephfs-csi-nodeplugin
	apiGroup: rbac.authorization.k8s.io
	---
	{{- if .Values.csi.nfs.enabled }}
	kind: ClusterRoleBinding
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	name: ceph-nfs-csi-provisioner-role
	subjects:
	- kind: ServiceAccount
	name: rook-csi-nfs-provisioner-sa
	namespace: {{ .Release.Namespace }} # namespace:operator
	roleRef:
	kind: ClusterRole
	name: ceph-nfs-external-provisioner-runner
	apiGroup: rbac.authorization.k8s.io
	---
	# TODO: remove this, once https://github.com/rook/rook/issues/10141
	# is resolved.
	kind: ClusterRoleBinding
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	name: ceph-nfs-csi-nodeplugin-role
	subjects:
	- kind: ServiceAccount
	name: rook-csi-nfs-plugin-sa
	namespace: {{ .Release.Namespace }} # namespace:operator
	roleRef:
	kind: ClusterRole
	name: ceph-nfs-csi-nodeplugin
	apiGroup: rbac.authorization.k8s.io
	---
	{{ end }}
	kind: ClusterRoleBinding
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	name: rbd-csi-provisioner-role
	subjects:
	- kind: ServiceAccount
	name: rook-csi-rbd-provisioner-sa
	namespace: {{ .Release.Namespace }} # namespace:operator
	roleRef:
	kind: ClusterRole
	name: rbd-external-provisioner-runner
	apiGroup: rbac.authorization.k8s.io
	---
	# RBAC for ceph cosi driver service account
	kind: ClusterRoleBinding
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	name: objectstorage-provisioner-role-binding
	labels:
	app.kubernetes.io/part-of: container-object-storage-interface
	app.kubernetes.io/component: driver-ceph
	app.kubernetes.io/name: cosi-driver-ceph
	subjects:
	- kind: ServiceAccount
	name: objectstorage-provisioner
	namespace: {{ .Release.Namespace }} # namespace:operator
	roleRef:
	kind: ClusterRole
	name: objectstorage-provisioner-role
	apiGroup: rbac.authorization.k8s.io
	{{- end }}