-
Notifications
You must be signed in to change notification settings - Fork 91
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
STOR-1065: Publish ClusterRoles for csi driver sidecars
The PR adds a bunch of new ClusterRoles to `manifests/ dir. This way those new ClusterRoles will be always created, regardless of cloud. They are building blocks to compose ClusterRoles for CSI dirver sidecars. For example, `external-attacher` sidecar for `aws-ebs` csi driver can compose the same ClusterRole as in https://github.com/openshift/aws-ebs-csi-driver-operator/blob/master/assets/rbac/attacher_role.yaml by adding ClusterRoleBindings for `main-attacher-role`, `openshift-csi-csinode-reader-role`, `openshift-csi-volumeattachment-reader-role`, and `openshift-csi-volumeattachment-writer-role`. The only exception is `leases` rules which need to be moved from ClusterRoles to per-namespace Roles anyway. As soon as this change is merged into `cluster-storage-operator`, it will be possible to get rid of ClusterRole definitions in csi driver operators, they will only define ClusterRoleBindings referring these new ClusterRoles.
- Loading branch information
Showing
14 changed files
with
194 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| kind: ClusterRole | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| name: openshift-csi-configmap-reader-role | ||
| rules: | ||
| - apiGroups: [""] | ||
| resources: ["configmaps"] | ||
| verbs: ["get", "list"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| kind: ClusterRole | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| name: openshift-csi-csinode-reader-role | ||
| rules: | ||
| - apiGroups: ["storage.k8s.io"] | ||
| resources: ["csinodes"] | ||
| verbs: ["get", "list", "watch"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| kind: ClusterRole | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| name: openshift-csi-csinodeinfo-reader-role | ||
| rules: | ||
| - apiGroups: ["storage.k8s.io"] | ||
| resources: ["csinodeinfos"] | ||
| verbs: ["get", "list", "watch"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| kind: ClusterRole | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| name: openshift-csi-infrastructure-reader-role | ||
| rules: | ||
| - apiGroups: ["config.openshift.io"] | ||
| resources: ["infrastructures"] | ||
| verbs: ["get", "list", "watch"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| kind: ClusterRole | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| name: openshift-csi-secret-reader-role | ||
| rules: | ||
| - apiGroups: [""] | ||
| resources: ["secrets"] | ||
| verbs: ["get", "list", "watch"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| kind: ClusterRole | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| name: openshift-csi-storageclass-reader-role | ||
| rules: | ||
| - apiGroups: ["storage.k8s.io"] | ||
| resources: ["storageclasses"] | ||
| verbs: ["get", "list", "watch"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| kind: ClusterRole | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| name: openshift-csi-volumeattachment-reader-role | ||
| rules: | ||
| - apiGroups: ["storage.k8s.io"] | ||
| resources: ["volumeattachments"] | ||
| verbs: ["get", "list", "watch"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| kind: ClusterRole | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| name: openshift-csi-volumeattachment-writer-role | ||
| rules: | ||
| - apiGroups: ["storage.k8s.io"] | ||
| resources: ["volumeattachments"] | ||
| verbs: ["update", "patch"] | ||
| - apiGroups: ["storage.k8s.io"] | ||
| resources: ["volumeattachments/status"] | ||
| verbs: ["patch"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| kind: ClusterRole | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| name: openshift-csi-volumesnapshot-reader-role | ||
| rules: | ||
| - apiGroups: ["snapshot.storage.k8s.io"] | ||
| resources: ["volumesnapshots"] | ||
| verbs: ["get", "list"] | ||
| - apiGroups: ["snapshot.storage.k8s.io"] | ||
| resources: ["volumesnapshotcontents"] | ||
| verbs: ["get", "list"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| kind: ClusterRole | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| name: main-attacher-role | ||
| rules: | ||
| - apiGroups: [""] | ||
| resources: ["persistentvolumes"] | ||
| verbs: ["get", "list", "watch", "update", "patch"] | ||
| - apiGroups: [""] | ||
| resources: ["nodes"] | ||
| verbs: ["get", "list", "watch"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| kind: ClusterRole | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| name: main-provisioner-role | ||
| rules: | ||
| - apiGroups: [""] | ||
| resources: ["persistentvolumes"] | ||
| verbs: ["get", "list", "watch", "create", "delete"] | ||
| - apiGroups: [""] | ||
| resources: ["persistentvolumeclaims"] | ||
| verbs: ["get", "list", "watch", "update"] | ||
| - apiGroups: ["storage.k8s.io"] | ||
| resources: ["storageclasses"] | ||
| verbs: ["get", "list", "watch"] | ||
| - apiGroups: [""] | ||
| resources: ["events"] | ||
| verbs: ["get", "list", "watch", "create", "update", "patch"] | ||
| - apiGroups: ["storage.k8s.io"] | ||
| resources: ["csinodes"] | ||
| verbs: ["get", "list", "watch"] | ||
| - apiGroups: [""] | ||
| resources: ["nodes"] | ||
| verbs: ["get", "list", "watch"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| kind: ClusterRole | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| name: main-driver-registrar-role | ||
| rules: | ||
| - apiGroups: [""] | ||
| resources: ["events"] | ||
| verbs: ["get", "list", "watch", "create", "update", "patch"] | ||
| - apiGroups: [""] | ||
| resources: ["nodes"] | ||
| verbs: ["get", "list", "watch"] | ||
| - apiGroups: [""] | ||
| resources: ["persistentvolumes"] | ||
| verbs: ["get", "list", "watch", "create", "delete"] | ||
| - apiGroups: [""] | ||
| resources: ["persistentvolumeclaims"] | ||
| verbs: ["get", "list", "watch", "update"] | ||
| - apiGroups: [""] | ||
| resources: ["secrets"] | ||
| verbs: ["get", "list", "watch"] | ||
| - apiGroups: [""] | ||
| resources: ["configmaps"] | ||
| verbs: ["get", "list"] | ||
| - apiGroups: ["security.openshift.io"] | ||
| resourceNames: ["privileged"] | ||
| resources: ["securitycontextconstraints"] | ||
| verbs: ["use"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| kind: ClusterRole | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| name: main-resizer-role | ||
| rules: | ||
| - apiGroups: [""] | ||
| resources: ["persistentvolumes"] | ||
| verbs: ["get", "list", "watch", "update", "patch"] | ||
| - apiGroups: [""] | ||
| resources: ["persistentvolumeclaims"] | ||
| verbs: ["get", "list", "watch"] | ||
| - apiGroups: [""] | ||
| resources: ["persistentvolumeclaims/status"] | ||
| verbs: ["update", "patch"] | ||
| - apiGroups: [""] | ||
| resources: ["events"] | ||
| verbs: ["list", "watch", "create", "update", "patch"] | ||
| - apiGroups: [""] | ||
| resources: ["pods"] | ||
| verbs: ["get", "list", "watch"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| kind: ClusterRole | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| name: main-snapshotter-role | ||
| rules: | ||
| - apiGroups: [""] | ||
| resources: ["persistentvolumes"] | ||
| verbs: ["get", "list", "watch"] | ||
| - apiGroups: [""] | ||
| resources: ["persistentvolumeclaims"] | ||
| verbs: ["get", "list", "watch"] | ||
| - apiGroups: ["storage.k8s.io"] | ||
| resources: ["storageclasses"] | ||
| verbs: ["get", "list", "watch"] | ||
| - apiGroups: [""] | ||
| resources: ["events"] | ||
| verbs: ["list", "watch", "create", "update", "patch"] | ||
| - apiGroups: [""] | ||
| resources: ["secrets"] | ||
| verbs: ["get", "list"] | ||
| - apiGroups: ["snapshot.storage.k8s.io"] | ||
| resources: ["volumesnapshotclasses"] | ||
| verbs: ["get", "list", "watch"] | ||
| - apiGroups: ["snapshot.storage.k8s.io"] | ||
| resources: ["volumesnapshotcontents"] | ||
| verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] | ||
| - apiGroups: ["snapshot.storage.k8s.io"] | ||
| resources: ["volumesnapshotcontents/status"] | ||
| verbs: ["update", "patch"] | ||
| - apiGroups: ["snapshot.storage.k8s.io"] | ||
| resources: ["volumesnapshots"] | ||
| verbs: ["get", "list", "watch", "update"] | ||
| - apiGroups: ["apiextensions.k8s.io"] | ||
| resources: ["customresourcedefinitions"] | ||
| verbs: ["create", "list", "watch", "delete"] |