Merge pull request #186 from mpatlasov/Bind-sidecars-to-common-Cluste…

…rRoles

STOR-1065: Rework sidecar bindings to bind common ClusterRoles

assets/rbac/lease_leader_election_role.yaml

@@ -0,0 +1,10 @@
+# Role for electing leader by the operator
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: manila-csi-driver-lease-leader-election
+  namespace: openshift-manila-csi-driver
+rules:
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  verbs: ["get", "watch", "list", "delete", "update", "create"]

assets/rbac/lease_leader_election_rolebinding.yaml

@@ -0,0 +1,14 @@
+# Grant controller access to leases
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: manila-csi-driver-lease-leader-election
+  namespace: openshift-manila-csi-driver
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: manila-csi-driver-lease-leader-election
+subjects:
+- kind: ServiceAccount
+  name: manila-csi-driver-controller-sa
+  namespace: openshift-manila-csi-driver

assets/rbac/provisioner_binding.yaml → assets/rbac/main_provisioner_binding.yaml

@@ -1,12 +1,12 @@
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: manila-csi-provisioner-binding
+  name: manila-csi-main-provisioner-binding
 subjects:
   - kind: ServiceAccount
     name: manila-csi-driver-controller-sa
     namespace: openshift-manila-csi-driver
 roleRef:
   kind: ClusterRole
-  name: manila-external-provisioner-role
+  name: openshift-csi-main-provisioner-role
   apiGroup: rbac.authorization.k8s.io

assets/rbac/snapshotter_binding.yaml → assets/rbac/main_snapshotter_binding.yaml

@@ -1,12 +1,12 @@
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: manila-csi-snapshotter-binding
+  name: manila-csi-main-snapshotter-binding
 subjects:
   - kind: ServiceAccount
     name: manila-csi-driver-controller-sa
     namespace: openshift-manila-csi-driver
 roleRef:
   kind: ClusterRole
-  name: manila-external-snapshotter-role
+  name: openshift-csi-main-snapshotter-role
   apiGroup: rbac.authorization.k8s.io

assets/rbac/volumeattachment_reader_provisioner_binding.yaml

@@ -0,0 +1,12 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: manila-csi-volumeattachment-reader-provisioner-binding
+subjects:
+  - kind: ServiceAccount
+    name: manila-csi-driver-controller-sa
+    namespace: openshift-manila-csi-driver
+roleRef:
+  kind: ClusterRole
+  name: openshift-csi-provisioner-volumeattachment-reader-role
+  apiGroup: rbac.authorization.k8s.io

pkg/operator/starter.go

@@ -88,17 +88,18 @@ func RunOperator(ctx context.Context, controllerConfig *controllercmd.Controller
 			// leading to an initial admission failure. We avoid
 			// this by exploiting the fact that the pods cannot be
 			// scheduled until the SA has been created.
-			"rbac/snapshotter_binding.yaml",
-			"rbac/snapshotter_role.yaml",
-			"rbac/provisioner_binding.yaml",
-			"rbac/provisioner_role.yaml",
+			"rbac/main_snapshotter_binding.yaml",
+			"rbac/main_provisioner_binding.yaml",
+			"rbac/volumeattachment_reader_provisioner_binding.yaml",
 			"rbac/privileged_role.yaml",
 			"rbac/controller_privileged_binding.yaml",
 			"rbac/node_privileged_binding.yaml",
 			"rbac/kube_rbac_proxy_role.yaml",
 			"rbac/kube_rbac_proxy_binding.yaml",
 			"rbac/prometheus_role.yaml",
 			"rbac/prometheus_rolebinding.yaml",
+			"rbac/lease_leader_election_role.yaml",
+			"rbac/lease_leader_election_rolebinding.yaml",
 			"controller_sa.yaml",
 			"controller_pdb.yaml",
 			"node_sa.yaml",