Blame - charts/rook-ceph/templates/clusterrolebinding.yaml - atmosphere

blob: 58fb25d09edeb12e57bf0516e231bb4f32bd1c1e [file] [log] [blame]

okozachenko1203	2314726	2023-01-28 04:16:42 +1100	[diff] [blame]	1	{{- if .Values.rbacEnable }}
				2	kind: ClusterRoleBinding
				3	apiVersion: rbac.authorization.k8s.io/v1
				4	metadata:
				5	name: rook-ceph-system
				6	labels:
				7	operator: rook
				8	storage-backend: ceph
				9	{{- include "library.rook-ceph.labels" . \| nindent 4 }}
				10	roleRef:
				11	apiGroup: rbac.authorization.k8s.io
				12	kind: ClusterRole
				13	name: rook-ceph-system
				14	subjects:
				15	- kind: ServiceAccount
				16	name: rook-ceph-system
				17	namespace: {{ .Release.Namespace }} # namespace:operator
				18	---
				19	# Grant the rook system daemons cluster-wide access to manage the Rook CRDs, PVCs, and storage classes
				20	kind: ClusterRoleBinding
				21	apiVersion: rbac.authorization.k8s.io/v1
				22	metadata:
				23	name: rook-ceph-global
				24	labels:
				25	operator: rook
				26	storage-backend: ceph
				27	{{- include "library.rook-ceph.labels" . \| nindent 4 }}
				28	roleRef:
				29	apiGroup: rbac.authorization.k8s.io
				30	kind: ClusterRole
				31	name: rook-ceph-global
				32	subjects:
				33	- kind: ServiceAccount
				34	name: rook-ceph-system
				35	namespace: {{ .Release.Namespace }} # namespace:operator
				36	---
				37	kind: ClusterRoleBinding
				38	# Give Rook-Ceph Operator permissions to provision ObjectBuckets in response to ObjectBucketClaims.
				39	apiVersion: rbac.authorization.k8s.io/v1
				40	metadata:
				41	name: rook-ceph-object-bucket
				42	roleRef:
				43	apiGroup: rbac.authorization.k8s.io
				44	kind: ClusterRole
				45	name: rook-ceph-object-bucket
				46	subjects:
				47	- kind: ServiceAccount
				48	name: rook-ceph-system
				49	namespace: {{ .Release.Namespace }} # namespace:operator
				50	---
				51	kind: ClusterRoleBinding
				52	apiVersion: rbac.authorization.k8s.io/v1
				53	metadata:
				54	name: rbd-csi-nodeplugin
				55	subjects:
				56	- kind: ServiceAccount
				57	name: rook-csi-rbd-plugin-sa
				58	namespace: {{ .Release.Namespace }} # namespace:operator
				59	roleRef:
				60	kind: ClusterRole
				61	name: rbd-csi-nodeplugin
				62	apiGroup: rbac.authorization.k8s.io
				63	---
				64	kind: ClusterRoleBinding
				65	apiVersion: rbac.authorization.k8s.io/v1
				66	metadata:
				67	name: cephfs-csi-provisioner-role
				68	subjects:
				69	- kind: ServiceAccount
				70	name: rook-csi-cephfs-provisioner-sa
				71	namespace: {{ .Release.Namespace }} # namespace:operator
				72	roleRef:
				73	kind: ClusterRole
				74	name: cephfs-external-provisioner-runner
				75	apiGroup: rbac.authorization.k8s.io
				76	---
Mohammed Naser	65cda13	2024-05-02 14:34:08 -0400	[diff] [blame]	77	# This is required by operator-sdk to map the cluster/clusterrolebindings with SA
				78	# otherwise operator-sdk will create a individual file for these.
				79	kind: ClusterRoleBinding
				80	apiVersion: rbac.authorization.k8s.io/v1
				81	metadata:
				82	name: cephfs-csi-nodeplugin-role
				83	subjects:
				84	- kind: ServiceAccount
				85	name: rook-csi-cephfs-plugin-sa
				86	namespace: {{ .Release.Namespace }} # namespace:operator
				87	roleRef:
				88	kind: ClusterRole
				89	name: cephfs-csi-nodeplugin
				90	apiGroup: rbac.authorization.k8s.io
				91	---
okozachenko1203	2314726	2023-01-28 04:16:42 +1100	[diff] [blame]	92	{{- if .Values.csi.nfs.enabled }}
				93	kind: ClusterRoleBinding
				94	apiVersion: rbac.authorization.k8s.io/v1
				95	metadata:
				96	name: ceph-nfs-csi-provisioner-role
				97	subjects:
				98	- kind: ServiceAccount
				99	name: rook-csi-nfs-provisioner-sa
				100	namespace: {{ .Release.Namespace }} # namespace:operator
				101	roleRef:
				102	kind: ClusterRole
				103	name: ceph-nfs-external-provisioner-runner
				104	apiGroup: rbac.authorization.k8s.io
				105	---
				106	# TODO: remove this, once https://github.com/rook/rook/issues/10141
				107	# is resolved.
				108	kind: ClusterRoleBinding
				109	apiVersion: rbac.authorization.k8s.io/v1
				110	metadata:
				111	name: ceph-nfs-csi-nodeplugin-role
				112	subjects:
				113	- kind: ServiceAccount
				114	name: rook-csi-nfs-plugin-sa
				115	namespace: {{ .Release.Namespace }} # namespace:operator
				116	roleRef:
				117	kind: ClusterRole
				118	name: ceph-nfs-csi-nodeplugin
				119	apiGroup: rbac.authorization.k8s.io
				120	---
				121	{{ end }}
				122	kind: ClusterRoleBinding
				123	apiVersion: rbac.authorization.k8s.io/v1
				124	metadata:
				125	name: rbd-csi-provisioner-role
				126	subjects:
				127	- kind: ServiceAccount
				128	name: rook-csi-rbd-provisioner-sa
				129	namespace: {{ .Release.Namespace }} # namespace:operator
				130	roleRef:
				131	kind: ClusterRole
				132	name: rbd-external-provisioner-runner
				133	apiGroup: rbac.authorization.k8s.io
Mohammed Naser	65cda13	2024-05-02 14:34:08 -0400	[diff] [blame]	134	---
				135	# RBAC for ceph cosi driver service account
				136	kind: ClusterRoleBinding
				137	apiVersion: rbac.authorization.k8s.io/v1
				138	metadata:
				139	name: objectstorage-provisioner-role-binding
				140	labels:
				141	app.kubernetes.io/part-of: container-object-storage-interface
				142	app.kubernetes.io/component: driver-ceph
				143	app.kubernetes.io/name: cosi-driver-ceph
				144	subjects:
				145	- kind: ServiceAccount
				146	name: objectstorage-provisioner
				147	namespace: {{ .Release.Namespace }} # namespace:operator
				148	roleRef:
				149	kind: ClusterRole
				150	name: objectstorage-provisioner-role
				151	apiGroup: rbac.authorization.k8s.io
okozachenko1203	2314726	2023-01-28 04:16:42 +1100	[diff] [blame]	152	{{- end }}