Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / refs/heads/main / . / charts / rook-ceph / templates / clusterrole.yaml
blob: e99f0c0c10f77eed8353032b692081c489ba329a [file] [log] [blame]
okozachenko120323147262023-01-28 04:16:42 +1100[diff] [blame]1{{- if .Values.rbacEnable }}
2kind: ClusterRole
3apiVersion: rbac.authorization.k8s.io/v1
4metadata:
5 name: rook-ceph-system
6 labels:
7 operator: rook
8 storage-backend: ceph
9 {{- include "library.rook-ceph.labels" . | nindent 4 }}
10rules:
11 # Most resources are represented by a string representation of their name, such as "pods", just as it appears in the URL for the relevant API endpoint.
12 # However, some Kubernetes APIs involve a "subresource", such as the logs for a pod. [...]
13 # To represent this in an RBAC role, use a slash to delimit the resource and subresource.
14 # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources
15 - apiGroups: [""]
16 resources: ["pods", "pods/log"]
17 verbs: ["get", "list"]
18 - apiGroups: [""]
19 resources: ["pods/exec"]
20 verbs: ["create"]
Mohammed Naser65cda132024-05-02 14:34:08 -0400[diff] [blame]21 - apiGroups: ["csiaddons.openshift.io"]
22 resources: ["networkfences"]
23 verbs: ["create", "get", "update", "delete", "watch", "list", "deletecollection"]
24 - apiGroups: ["apiextensions.k8s.io"]
25 resources: ["customresourcedefinitions"]
26 verbs: ["get"]
okozachenko120323147262023-01-28 04:16:42 +1100[diff] [blame]27---
28# The cluster role for managing all the cluster-specific resources in a namespace
29apiVersion: rbac.authorization.k8s.io/v1
30kind: ClusterRole
31metadata:
32 name: rook-ceph-cluster-mgmt
33 labels:
34 operator: rook
35 storage-backend: ceph
36 {{- include "library.rook-ceph.labels" . | nindent 4 }}
37rules:
38- apiGroups:
39 - ""
40 - apps
41 - extensions
42 resources:
43 - secrets
44 - pods
45 - pods/log
46 - services
47 - configmaps
48 - deployments
49 - daemonsets
50 verbs:
51 - get
52 - list
53 - watch
54 - patch
55 - create
56 - update
57 - delete
58---
59# The cluster role for managing the Rook CRDs
60apiVersion: rbac.authorization.k8s.io/v1
61# Rook watches for its CRDs in all namespaces, so this should be a cluster-scoped role unless the
62# operator config `ROOK_CURRENT_NAMESPACE_ONLY=true`.
63kind: ClusterRole
64metadata:
65 name: rook-ceph-global
66 labels:
67 operator: rook
68 storage-backend: ceph
69 {{- include "library.rook-ceph.labels" . | nindent 4 }}
70rules:
71- apiGroups:
72 - ""
73 resources:
74 # Pod access is needed for fencing
75 - pods
76 # Node access is needed for determining nodes where mons should run
77 - nodes
78 - nodes/proxy
okozachenko120323147262023-01-28 04:16:42 +1100[diff] [blame]79 # Rook watches secrets which it uses to configure access to external resources.
Mohammed Naser65cda132024-05-02 14:34:08 -0400[diff] [blame]80 # e.g., external Ceph cluster or object store
okozachenko120323147262023-01-28 04:16:42 +1100[diff] [blame]81 - secrets
82 # Rook watches for changes to the rook-operator-config configmap
83 - configmaps
84 verbs:
85 - get
86 - list
87 - watch
88- apiGroups:
89 - ""
90 resources:
91 # Rook creates events for its custom resources
92 - events
93 # Rook creates PVs and PVCs for OSDs managed by the Rook provisioner
94 - persistentvolumes
95 - persistentvolumeclaims
96 # Rook creates endpoints for mgr and object store access
97 - endpoints
Mohammed Naser65cda132024-05-02 14:34:08 -0400[diff] [blame]98 - services
okozachenko120323147262023-01-28 04:16:42 +1100[diff] [blame]99 verbs:
100 - get
101 - list
102 - watch
103 - patch
104 - create
105 - update
106 - delete
107- apiGroups:
108 - storage.k8s.io
109 resources:
110 - storageclasses
111 verbs:
112 - get
113 - list
114 - watch
115- apiGroups:
116 - batch
117 resources:
118 - jobs
119 - cronjobs
120 verbs:
121 - get
122 - list
123 - watch
124 - create
125 - update
126 - delete
Mohammed Naser65cda132024-05-02 14:34:08 -0400[diff] [blame]127 - deletecollection
okozachenko120323147262023-01-28 04:16:42 +1100[diff] [blame]128# The Rook operator must be able to watch all ceph.rook.io resources to reconcile them.
129- apiGroups: ["ceph.rook.io"]
130 resources:
131 - cephclients
132 - cephclusters
133 - cephblockpools
134 - cephfilesystems
135 - cephnfses
136 - cephobjectstores
137 - cephobjectstoreusers
138 - cephobjectrealms
139 - cephobjectzonegroups
140 - cephobjectzones
141 - cephbuckettopics
142 - cephbucketnotifications
143 - cephrbdmirrors
144 - cephfilesystemmirrors
145 - cephfilesystemsubvolumegroups
146 - cephblockpoolradosnamespaces
Mohammed Naser65cda132024-05-02 14:34:08 -0400[diff] [blame]147 - cephcosidrivers
okozachenko120323147262023-01-28 04:16:42 +1100[diff] [blame]148 verbs:
149 - get
150 - list
151 - watch
152 # Ideally the update permission is not required, but Rook needs it to add finalizers to resources.
153 - update
154# Rook must have update access to status subresources for its custom resources.
155- apiGroups: ["ceph.rook.io"]
156 resources:
157 - cephclients/status
158 - cephclusters/status
159 - cephblockpools/status
160 - cephfilesystems/status
161 - cephnfses/status
162 - cephobjectstores/status
163 - cephobjectstoreusers/status
164 - cephobjectrealms/status
165 - cephobjectzonegroups/status
166 - cephobjectzones/status
167 - cephbuckettopics/status
168 - cephbucketnotifications/status
169 - cephrbdmirrors/status
170 - cephfilesystemmirrors/status
171 - cephfilesystemsubvolumegroups/status
172 - cephblockpoolradosnamespaces/status
173 verbs: ["update"]
174# The "*/finalizers" permission may need to be strictly given for K8s clusters where
175# OwnerReferencesPermissionEnforcement is enabled so that Rook can set blockOwnerDeletion on
176# resources owned by Rook CRs (e.g., a Secret owned by an OSD Deployment). See more:
177# https://kubernetes.io/docs/reference/access-authn-authz/_print/#ownerreferencespermissionenforcement
178- apiGroups: ["ceph.rook.io"]
179 resources:
180 - cephclients/finalizers
181 - cephclusters/finalizers
182 - cephblockpools/finalizers
183 - cephfilesystems/finalizers
184 - cephnfses/finalizers
185 - cephobjectstores/finalizers
186 - cephobjectstoreusers/finalizers
187 - cephobjectrealms/finalizers
188 - cephobjectzonegroups/finalizers
189 - cephobjectzones/finalizers
190 - cephbuckettopics/finalizers
191 - cephbucketnotifications/finalizers
192 - cephrbdmirrors/finalizers
193 - cephfilesystemmirrors/finalizers
194 - cephfilesystemsubvolumegroups/finalizers
195 - cephblockpoolradosnamespaces/finalizers
196 verbs: ["update"]
197- apiGroups:
198 - policy
199 - apps
200 - extensions
201 resources:
202 # This is for the clusterdisruption controller
203 - poddisruptionbudgets
204 # This is for both clusterdisruption and nodedrain controllers
205 - deployments
206 - replicasets
207 verbs:
208 - get
209 - list
210 - watch
211 - create
212 - update
213 - delete
214 - deletecollection
215- apiGroups:
Mohammed Naser65cda132024-05-02 14:34:08 -0400[diff] [blame]216 - apps
217 resources:
218 # This is to add osd deployment owner ref on key rotation
219 # cron jobs.
220 - deployments/finalizers
221 verbs:
222 - update
223- apiGroups:
okozachenko120323147262023-01-28 04:16:42 +1100[diff] [blame]224 - healthchecking.openshift.io
225 resources:
226 - machinedisruptionbudgets
227 verbs:
228 - get
229 - list
230 - watch
231 - create
232 - update
233 - delete
234- apiGroups:
235 - machine.openshift.io
236 resources:
237 - machines
238 verbs:
239 - get
240 - list
241 - watch
242 - create
243 - update
244 - delete
245- apiGroups:
246 - storage.k8s.io
247 resources:
248 - csidrivers
249 verbs:
250 - create
251 - delete
252 - get
253 - update
254- apiGroups:
255 - k8s.cni.cncf.io
256 resources:
257 - network-attachment-definitions
258 verbs:
259 - get
260---
261# Aspects of ceph-mgr that require cluster-wide access
262kind: ClusterRole
263apiVersion: rbac.authorization.k8s.io/v1
264metadata:
265 name: rook-ceph-mgr-cluster
266 labels:
267 operator: rook
268 storage-backend: ceph
269 {{- include "library.rook-ceph.labels" . | nindent 4 }}
270rules:
271- apiGroups:
272 - ""
273 resources:
274 - configmaps
275 - nodes
276 - nodes/proxy
277 - persistentvolumes
278 verbs:
279 - get
280 - list
281 - watch
282- apiGroups:
283 - ""
284 resources:
285 - events
286 verbs:
287 - create
288 - patch
289 - list
290 - get
291 - watch
292- apiGroups:
293 - storage.k8s.io
294 resources:
295 - storageclasses
296 verbs:
297 - get
298 - list
299 - watch
300---
301# Aspects of ceph-mgr that require access to the system namespace
302kind: ClusterRole
303apiVersion: rbac.authorization.k8s.io/v1
304metadata:
305 name: rook-ceph-mgr-system
306rules:
307- apiGroups:
308 - ""
309 resources:
310 - configmaps
311 verbs:
312 - get
313 - list
314 - watch
315---
316# Used for provisioning ObjectBuckets (OBs) in response to ObjectBucketClaims (OBCs).
317# Note: Rook runs a copy of the lib-bucket-provisioner's OBC controller.
318# OBCs can be created in any Kubernetes namespace, so this must be a cluster-scoped role.
319kind: ClusterRole
320apiVersion: rbac.authorization.k8s.io/v1
321metadata:
322 name: rook-ceph-object-bucket
323 labels:
324 operator: rook
325 storage-backend: ceph
326 {{- include "library.rook-ceph.labels" . | nindent 4 }}
327rules:
328 - apiGroups: [""]
329 resources: ["secrets", "configmaps"]
330 verbs:
331 # OBC controller creates secrets and configmaps containing information for users about how to
332 # connect to object buckets. It deletes them when an OBC is deleted.
333 - get
334 - create
335 - update
336 - delete
337 - apiGroups: ["storage.k8s.io"]
338 resources: ["storageclasses"]
339 verbs:
340 # OBC controller gets parameters from the OBC's storageclass
341 # Rook gets additional parameters from the OBC's storageclass
342 - get
343 - apiGroups: ["objectbucket.io"]
344 resources: ["objectbucketclaims"]
345 verbs:
346 # OBC controller needs to list/watch OBCs and get latest version of a reconciled OBC
347 - list
348 - watch
349 - get
350 # Ideally, update should not be needed, but the OBC controller updates the OBC with bucket
351 # information outside of the status subresource
352 - update
353 # OBC controller does not delete OBCs; users do this
354 - apiGroups: ["objectbucket.io"]
355 resources: ["objectbuckets"]
356 verbs:
357 # OBC controller needs to list/watch OBs and get latest version of a reconciled OB
358 - list
359 - watch
360 - get
361 # OBC controller creates an OB when an OBC's bucket has been provisioned by Ceph, updates them
362 # when an OBC is updated, and deletes them when the OBC is de-provisioned.
363 - create
364 - update
365 - delete
366 - apiGroups: ["objectbucket.io"]
367 resources: ["objectbucketclaims/status", "objectbuckets/status"]
368 verbs:
369 # OBC controller updates OBC and OB statuses
370 - update
371 - apiGroups: ["objectbucket.io"]
372 # This does not strictly allow the OBC/OB controllers to update finalizers. That is handled by
373 # the direct "update" permissions above. Instead, this allows Rook's controller to create
374 # resources which are owned by OBs/OBCs and where blockOwnerDeletion is set.
375 resources: ["objectbucketclaims/finalizers", "objectbuckets/finalizers"]
376 verbs:
377 - update
378---
379kind: ClusterRole
380apiVersion: rbac.authorization.k8s.io/v1
381metadata:
382 name: rook-ceph-osd
383rules:
384- apiGroups:
385 - ""
386 resources:
387 - nodes
388 verbs:
389 - get
390 - list
391---
okozachenko120323147262023-01-28 04:16:42 +1100[diff] [blame]392kind: ClusterRole
393apiVersion: rbac.authorization.k8s.io/v1
394metadata:
395 name: cephfs-csi-nodeplugin
396rules:
397 - apiGroups: [""]
398 resources: ["nodes"]
399 verbs: ["get"]
400---
401{{- if .Values.csi.nfs.enabled }}
402kind: ClusterRole
403apiVersion: rbac.authorization.k8s.io/v1
404metadata:
405 name: ceph-nfs-external-provisioner-runner
406rules:
407 - apiGroups: [""]
408 resources: ["persistentvolumes"]
Mohammed Naser65cda132024-05-02 14:34:08 -0400[diff] [blame]409 verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
okozachenko120323147262023-01-28 04:16:42 +1100[diff] [blame]410 - apiGroups: [""]
411 resources: ["persistentvolumeclaims"]
Mohammed Naserfc4a62c2023-02-10 02:59:17 +0000[diff] [blame]412 verbs: ["get", "list", "watch", "patch", "update"]
okozachenko120323147262023-01-28 04:16:42 +1100[diff] [blame]413 - apiGroups: ["storage.k8s.io"]
414 resources: ["storageclasses"]
415 verbs: ["get", "list", "watch"]
416 - apiGroups: [""]
417 resources: ["events"]
418 verbs: ["get", "list", "watch", "create", "update", "patch"]
419 - apiGroups: ["storage.k8s.io"]
420 resources: ["csinodes"]
421 verbs: ["get", "list", "watch"]
422 - apiGroups: [""]
423 resources: ["nodes"]
424 verbs: ["get", "list", "watch"]
425 - apiGroups: ["coordination.k8s.io"]
426 resources: ["leases"]
427 verbs: ["get", "list", "watch", "create", "update", "patch"]
428 - apiGroups: [""]
429 resources: ["secrets"]
430 verbs: ["get"]
431 - apiGroups: ["snapshot.storage.k8s.io"]
432 resources: ["volumesnapshotclasses"]
433 verbs: ["get", "list", "watch"]
434 - apiGroups: ["snapshot.storage.k8s.io"]
435 resources: ["volumesnapshotcontents"]
436 verbs: ["get", "list", "watch", "update", "patch"]
437 - apiGroups: ["snapshot.storage.k8s.io"]
438 resources: ["volumesnapshotcontents/status"]
439 verbs: ["update", "patch"]
440 - apiGroups: ["snapshot.storage.k8s.io"]
441 resources: ["volumesnapshots"]
442 verbs: ["get", "list"]
443 - apiGroups: [""]
444 resources: ["persistentvolumeclaims/status"]
445 verbs: ["patch"]
Mohammed Naser65cda132024-05-02 14:34:08 -0400[diff] [blame]446 - apiGroups: ["storage.k8s.io"]
447 resources: ["volumeattachments"]
448 verbs: ["get", "list", "watch", "patch"]
449 - apiGroups: ["storage.k8s.io"]
450 resources: ["volumeattachments/status"]
451 verbs: ["patch"]
okozachenko120323147262023-01-28 04:16:42 +1100[diff] [blame]452---
453# TODO: remove this, once https://github.com/rook/rook/issues/10141
454# is resolved.
455kind: ClusterRole
456apiVersion: rbac.authorization.k8s.io/v1
457metadata:
458 name: ceph-nfs-csi-nodeplugin
459 labels:
460 operator: rook
461 storage-backend: ceph
462 {{- include "library.rook-ceph.labels" . | nindent 4 }}
463rules:
464 - apiGroups: [""]
465 resources: ["nodes"]
466 verbs: ["get"]
467---
468{{ end }}
469kind: ClusterRole
470apiVersion: rbac.authorization.k8s.io/v1
471metadata:
472 name: cephfs-external-provisioner-runner
473rules:
474 - apiGroups: [""]
475 resources: ["secrets"]
476 verbs: ["get", "list"]
477 - apiGroups: [""]
Mohammed Naser65cda132024-05-02 14:34:08 -0400[diff] [blame]478 resources: ["nodes"]
479 verbs: ["get", "list", "watch"]
480 - apiGroups: [""]
okozachenko120323147262023-01-28 04:16:42 +1100[diff] [blame]481 resources: ["persistentvolumes"]
Mohammed Naser65cda132024-05-02 14:34:08 -0400[diff] [blame]482 verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
okozachenko120323147262023-01-28 04:16:42 +1100[diff] [blame]483 - apiGroups: [""]
484 resources: ["persistentvolumeclaims"]
Mohammed Naserfc4a62c2023-02-10 02:59:17 +0000[diff] [blame]485 verbs: ["get", "list", "watch", "patch", "update"]
okozachenko120323147262023-01-28 04:16:42 +1100[diff] [blame]486 - apiGroups: ["storage.k8s.io"]
487 resources: ["storageclasses"]
488 verbs: ["get", "list", "watch"]
489 - apiGroups: [""]
490 resources: ["events"]
491 verbs: ["list", "watch", "create", "update", "patch"]
492 - apiGroups: ["storage.k8s.io"]
493 resources: ["volumeattachments"]
494 verbs: ["get", "list", "watch", "patch"]
495 - apiGroups: ["storage.k8s.io"]
496 resources: ["volumeattachments/status"]
497 verbs: ["patch"]
498 - apiGroups: [""]
499 resources: ["persistentvolumeclaims/status"]
500 verbs: ["patch"]
501 - apiGroups: ["snapshot.storage.k8s.io"]
502 resources: ["volumesnapshots"]
Mohammed Naser65cda132024-05-02 14:34:08 -0400[diff] [blame]503 verbs: ["get", "list", "watch", "update", "patch", "create"]
okozachenko120323147262023-01-28 04:16:42 +1100[diff] [blame]504 - apiGroups: ["snapshot.storage.k8s.io"]
505 resources: ["volumesnapshotclasses"]
506 verbs: ["get", "list", "watch"]
507 - apiGroups: ["snapshot.storage.k8s.io"]
508 resources: ["volumesnapshotcontents"]
Mohammed Naser65cda132024-05-02 14:34:08 -0400[diff] [blame]509 verbs: ["get", "list", "watch", "patch", "update", "create"]
okozachenko120323147262023-01-28 04:16:42 +1100[diff] [blame]510 - apiGroups: ["snapshot.storage.k8s.io"]
511 resources: ["volumesnapshotcontents/status"]
512 verbs: ["update", "patch"]
Mohammed Naser65cda132024-05-02 14:34:08 -0400[diff] [blame]513 - apiGroups: ["groupsnapshot.storage.k8s.io"]
514 resources: ["volumegroupsnapshotclasses"]
515 verbs: ["get", "list", "watch"]
516 - apiGroups: ["groupsnapshot.storage.k8s.io"]
517 resources: ["volumegroupsnapshotcontents"]
518 verbs: ["get", "list", "watch", "update", "patch"]
519 - apiGroups: ["groupsnapshot.storage.k8s.io"]
520 resources: ["volumegroupsnapshotcontents/status"]
521 verbs: ["update", "patch"]
okozachenko120323147262023-01-28 04:16:42 +1100[diff] [blame]522---
523kind: ClusterRole
524apiVersion: rbac.authorization.k8s.io/v1
525metadata:
526 name: rbd-csi-nodeplugin
527 labels:
528 operator: rook
529 storage-backend: ceph
530 {{- include "library.rook-ceph.labels" . | nindent 4 }}
531rules:
532 - apiGroups: [""]
533 resources: ["secrets"]
534 verbs: ["get", "list"]
535 - apiGroups: [""]
536 resources: ["persistentvolumes"]
537 verbs: ["get", "list"]
538 - apiGroups: ["storage.k8s.io"]
539 resources: ["volumeattachments"]
540 verbs: ["get", "list"]
541 - apiGroups: [""]
542 resources: ["configmaps"]
543 verbs: ["get"]
544 - apiGroups: [""]
545 resources: ["serviceaccounts"]
546 verbs: ["get"]
547 - apiGroups: [""]
548 resources: ["serviceaccounts/token"]
549 verbs: ["create"]
550 - apiGroups: [""]
551 resources: ["nodes"]
552 verbs: ["get"]
553---
554kind: ClusterRole
555apiVersion: rbac.authorization.k8s.io/v1
556metadata:
557 name: rbd-external-provisioner-runner
558rules:
559 - apiGroups: [""]
560 resources: ["secrets"]
561 verbs: ["get", "list", "watch"]
562 - apiGroups: [""]
563 resources: ["persistentvolumes"]
Mohammed Naser65cda132024-05-02 14:34:08 -0400[diff] [blame]564 verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
okozachenko120323147262023-01-28 04:16:42 +1100[diff] [blame]565 - apiGroups: [""]
566 resources: ["persistentvolumeclaims"]
567 verbs: ["get", "list", "watch", "update"]
568 - apiGroups: ["storage.k8s.io"]
569 resources: ["storageclasses"]
570 verbs: ["get", "list", "watch"]
571 - apiGroups: [""]
572 resources: ["events"]
573 verbs: ["list", "watch", "create", "update", "patch"]
574 - apiGroups: ["storage.k8s.io"]
575 resources: ["volumeattachments"]
576 verbs: ["get", "list", "watch", "patch"]
577 - apiGroups: ["storage.k8s.io"]
578 resources: ["volumeattachments/status"]
579 verbs: ["patch"]
580 - apiGroups: [""]
581 resources: ["nodes"]
582 verbs: ["get", "list", "watch"]
583 - apiGroups: ["storage.k8s.io"]
584 resources: ["csinodes"]
585 verbs: ["get", "list", "watch"]
586 - apiGroups: [""]
587 resources: ["persistentvolumeclaims/status"]
588 verbs: ["patch"]
589 - apiGroups: ["snapshot.storage.k8s.io"]
590 resources: ["volumesnapshots"]
Mohammed Naser65cda132024-05-02 14:34:08 -0400[diff] [blame]591 verbs: ["get", "list", "watch", "update", "patch", "create"]
okozachenko120323147262023-01-28 04:16:42 +1100[diff] [blame]592 - apiGroups: ["snapshot.storage.k8s.io"]
593 resources: ["volumesnapshotclasses"]
594 verbs: ["get", "list", "watch"]
595 - apiGroups: ["snapshot.storage.k8s.io"]
596 resources: ["volumesnapshotcontents"]
Mohammed Naser65cda132024-05-02 14:34:08 -0400[diff] [blame]597 verbs: ["get", "list", "watch", "patch", "update", "create"]
okozachenko120323147262023-01-28 04:16:42 +1100[diff] [blame]598 - apiGroups: ["snapshot.storage.k8s.io"]
599 resources: ["volumesnapshotcontents/status"]
600 verbs: ["update", "patch"]
Mohammed Naser65cda132024-05-02 14:34:08 -0400[diff] [blame]601 - apiGroups: ["groupsnapshot.storage.k8s.io"]
602 resources: ["volumegroupsnapshotclasses"]
603 verbs: ["get", "list", "watch"]
604 - apiGroups: ["groupsnapshot.storage.k8s.io"]
605 resources: ["volumegroupsnapshotcontents"]
606 verbs: ["get", "list", "watch", "update", "patch"]
607 - apiGroups: ["groupsnapshot.storage.k8s.io"]
608 resources: ["volumegroupsnapshotcontents/status"]
609 verbs: ["update", "patch"]
okozachenko120323147262023-01-28 04:16:42 +1100[diff] [blame]610 - apiGroups: [""]
611 resources: ["configmaps"]
612 verbs: ["get"]
613 - apiGroups: [""]
614 resources: ["serviceaccounts"]
615 verbs: ["get"]
616 - apiGroups: [""]
617 resources: ["serviceaccounts/token"]
618 verbs: ["create"]
619 - apiGroups: [""]
620 resources: ["nodes"]
Mohammed Naser65cda132024-05-02 14:34:08 -0400[diff] [blame]621 verbs: ["get", "list", "watch"]
okozachenko120323147262023-01-28 04:16:42 +1100[diff] [blame]622 - apiGroups: ["storage.k8s.io"]
623 resources: ["csinodes"]
624 verbs: ["get", "list", "watch"]
Mohammed Naser65cda132024-05-02 14:34:08 -0400[diff] [blame]625---
626kind: ClusterRole
627apiVersion: rbac.authorization.k8s.io/v1
628metadata:
629 name: objectstorage-provisioner-role
630 labels:
631 app.kubernetes.io/part-of: container-object-storage-interface
632 app.kubernetes.io/component: driver-ceph
633 app.kubernetes.io/name: cosi-driver-ceph
634rules:
635 - apiGroups: ["objectstorage.k8s.io"]
636 resources:
637 [
638 "buckets",
639 "bucketaccesses",
640 "bucketclaims",
641 "bucketaccessclasses",
642 "buckets/status",
643 "bucketaccesses/status",
644 "bucketclaims/status",
645 "bucketaccessclasses/status",
646 ]
647 verbs: ["get", "list", "watch", "update", "create", "delete"]
648 - apiGroups: ["coordination.k8s.io"]
649 resources: ["leases"]
650 verbs: ["get", "watch", "list", "delete", "update", "create"]
651 - apiGroups: [""]
652 resources: ["secrets", "events"]
653 verbs: ["get", "delete", "update", "create"]
okozachenko120323147262023-01-28 04:16:42 +1100[diff] [blame]654{{- end }}