New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
STOR-1065: Publish ClusterRoles for csi driver sidecars #379
STOR-1065: Publish ClusterRoles for csi driver sidecars #379
Conversation
@mpatlasov: This pull request references STOR-1065 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/assign @gnufied |
/retest |
204737a
to
d44576a
Compare
metadata: | ||
name: volumesnapshot-external-provisioner-role | ||
rules: | ||
- apiGroups: ["snapshot.storage.k8s.io"] | ||
resources: ["volumesnapshots"] | ||
verbs: ["get", "list"] | ||
- apiGroups: ["snapshot.storage.k8s.io"] | ||
resources: ["volumesnapshotcontents"] | ||
verbs: ["get", "list"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
dtto, if a storage backed supports snapshots, this (and more) will be part of external-snapshotter role.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same as in the comment above: provisioner needs only two verbs: ["get", "list"]
, while snapshotter wants more: ["get", "list", "watch", "update"]
.
pkg/operator/csidriveroperator/csioperatorclient/alibaba-disk.go
Outdated
Show resolved
Hide resolved
d44576a
to
2d6174e
Compare
external-provisioner
sidecar
@mpatlasov: This pull request references STOR-1065 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
The last force-push fully reworks PR putting all ClusterRole building blocks (for all sidecars) to |
/retest |
1 similar comment
/retest |
2d6174e
to
00e9da7
Compare
New force-push updates PR:
|
/retest ci/prow/hypershift-aws-e2e-external |
@mpatlasov: The
The following commands are available to trigger optional jobs:
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/test ci/prow/hypershift-aws-e2e-external |
@mpatlasov: The specified target(s) for
The following commands are available to trigger optional jobs:
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/test hypershift-aws-e2e-external |
/retest |
/retest |
00e9da7
to
d114bbb
Compare
@mpatlasov: This pull request references STOR-1065 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/test e2e-azure-csi |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: gnufied, mpatlasov The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
0888a23
into
openshift:master
PR openshift/cluster-storage-operator#379 published builiding blocks of sidecar ClusterRoles. Now, aws-efs csi driver operator may compose its sidecars ClusterRoles from those building blocks. This PR also moves permissions for `leases` resource from ClusterRole to per-namespace Role (`assets/rbac/lease_leader_election_role.yaml`).
PR openshift/cluster-storage-operator#379 published builiding blocks of sidecar ClusterRoles. Now, gcp-pd csi driver operator may compose its sidecars ClusterRoles from those building blocks. This PR also moves permissions for `leases` resource from ClusterRole to per-namespace Role (`assets/rbac/lease_leader_election_role.yaml`).
PR openshift/cluster-storage-operator#379 published builiding blocks of sidecar ClusterRoles. Now, gcp-filestore csi driver operator may compose its sidecars ClusterRoles from those building blocks. This PR also moves permissions for `leases` resource from ClusterRole to per-namespace Role (`assets/rbac/lease_leader_election_role.yaml`).
PR openshift/cluster-storage-operator#379 published builiding blocks of sidecar ClusterRoles. Now, gcp-filestore csi driver operator may compose its sidecars ClusterRoles from those building blocks. This PR also moves permissions for `leases` resource from ClusterRole to per-namespace Role (`assets/rbac/lease_leader_election_role.yaml`).
PR openshift/cluster-storage-operator#379 published builiding blocks of sidecar ClusterRoles. Now, gcp-filestore csi driver operator may compose its sidecars ClusterRoles from those building blocks. This PR also moves permissions for `leases` resource from ClusterRole to per-namespace Role (`assets/rbac/lease_leader_election_role.yaml`).
PR openshift/cluster-storage-operator#379 published builiding blocks of sidecar ClusterRoles. Now, gcp-pd csi driver operator may compose its sidecars ClusterRoles from those building blocks. This PR also moves permissions for `leases` resource from ClusterRole to per-namespace Role (`assets/rbac/lease_leader_election_role.yaml`).
PR openshift/cluster-storage-operator#379 published builiding blocks of sidecar ClusterRoles. Now, azure-disk csi driver operator may compose its sidecars ClusterRoles from those building blocks. This PR also moves permissions for `leases` resource from ClusterRole to per-namespace Role (`assets/rbac/lease_leader_election_role.yaml`).
PR openshift/cluster-storage-operator#379 published builiding blocks of sidecar ClusterRoles. Now, azure-file csi driver operator may compose its sidecars ClusterRoles from those building blocks. This PR also moves permissions for `leases` resource from ClusterRole to per-namespace Role (`assets/rbac/lease_leader_election_role.yaml`).
PR openshift/cluster-storage-operator#379 published builiding blocks of sidecar ClusterRoles. Now, ibm-powervs-block csi driver operator may compose its sidecars ClusterRoles from those building blocks. This PR also moves permissions for `leases` resource from ClusterRole to per-namespace Role (`assets/rbac/lease_leader_election_role.yaml`).
PR openshift/cluster-storage-operator#379 published builiding blocks of sidecar ClusterRoles. Now, ibm-vpc-block csi driver operator may compose its sidecars ClusterRoles from those building blocks. This PR also moves permissions for `leases` resource from ClusterRole to per-namespace Role (`assets/rbac/lease_leader_election_role.yaml`).
PR openshift/cluster-storage-operator#379 published builiding blocks of sidecar ClusterRoles. Now, openstack-cinder csi driver operator may compose its sidecars ClusterRoles from those building blocks. This PR also moves permissions for `leases` resource from ClusterRole to per-namespace Role (`assets/rbac/lease_leader_election_role.yaml`).
PR openshift/cluster-storage-operator#379 publishes builiding blocks of sidecar ClusterRoles. Now, vmware-vsphere csi driver operator may compose its sidecars ClusterRoles from those building blocks. This PR also moves permissions for `leases` resource from ClusterRole to per-namespace Role (`assets/rbac/lease_leader_election_role.yaml`).
PR openshift/cluster-storage-operator#379 publishes builiding blocks of sidecar ClusterRoles. Now, manila csi driver operator may compose its sidecars ClusterRoles from those building blocks. This PR also moves permissions for `leases` resource from ClusterRole to per-namespace Role (`assets/rbac/lease_leader_election_role.yaml`).
PR openshift/cluster-storage-operator#379 publishes builiding blocks of sidecar ClusterRoles. Now, manila csi driver operator may compose its sidecars ClusterRoles from those building blocks. This PR also moves permissions for `leases` resource from ClusterRole to per-namespace Role (`assets/rbac/lease_leader_election_role.yaml`).
The PR adds a bunch of new ClusterRoles to
manifests/
dir. This way those new ClusterRoles will be always created, regardless of cloud. They are building blocks to compose ClusterRoles for CSI dirver sidecars. For example,external-provisioner
sidecar foraws-ebs
csi driver can compose the same ClusterRole as in https://github.com/openshift/aws-ebs-csi-driver-operator/blob/master/assets/rbac/provisioner_role.yaml by adding ClusterRoleBindings foropenshift-csi-main-provisioner-role
andopenshift-csi-provisioner-volumesnapshot-reader-role
. The only exception isleases
rules which need to be moved from ClusterRoles to per-namespace Roles anyway.As soon as this change is merged into
cluster-storage-operator
, it will be possible to get rid of ClusterRole definitions in csi driver operators, they will only define ClusterRoleBindings referring these new ClusterRoles.