From 8d614882e131e9274c4c705c53cf3d793c06201f Mon Sep 17 00:00:00 2001
From: Alberto <93380371+alcampag@users.noreply.github.com>
Date: Wed, 12 Mar 2025 13:37:06 +0100
Subject: [PATCH] Update policies.md

Added policies for FSS creation by OKE
---
 .../oke/oke-policies/policies.md              | 20 ++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/app-dev/devops-and-containers/oke/oke-policies/policies.md b/app-dev/devops-and-containers/oke/oke-policies/policies.md
index 1dc2840a2..acb3200e6 100644
--- a/app-dev/devops-and-containers/oke/oke-policies/policies.md
+++ b/app-dev/devops-and-containers/oke/oke-policies/policies.md
@@ -128,7 +128,7 @@ ALLOW any-user to manage public-ips in TENANCY where ALL {request.principal.type
 
   
 
-### ATTACH NSGs WHEN THEY ARE IN DIFFERENT COMPARTMENTS THAN OKE
+### ATTACH NSGs WHEN THEY ARE IN DIFFERENT COMPARTMENT THAN OKE
 
 [https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengconfiguringloadbalancersnetworkloadbalancers-subtopic.htm#contengcreatingloadbalancer\_topic\_Specifying\_Load\_Balancer\_Network\_Security\_Group](https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengconfiguringloadbalancersnetworkloadbalancers-subtopic.htm#contengcreatingloadbalancer_topic_Specifying_Load_Balancer_Network_Security_Group)  
 
@@ -144,3 +144,21 @@ Allow any-user to use network-security-groups in compartment <network-compartmen
 ALLOW any-user to manage volume-backups in compartment <compartment-name> where request.principal.type = 'cluster'
 ALLOW any-user to use volumes in compartment <compartment-name> where request.principal.type = 'cluster'
 ```
+
+### PROVISION A PVC ON A NEW FILE SYSTEM USING THE CSI VOLUME PLUGIN
+
+[https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengcreatingpersistentvolumeclaim_Provisioning_PVCs_on_FSS.htm#contengcreatingpersistentvolumeclaim_topic-Provisioning_PVCs_on_FSS-Using-CSI-Volume-Plugin](https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengcreatingpersistentvolumeclaim_Provisioning_PVCs_on_FSS.htm#contengcreatingpersistentvolumeclaim_topic-Provisioning_PVCs_on_FSS-Using-CSI-Volume-Plugin)
+
+Cluster will need policies to create a new file system and to handle network resources:
+
+```
+ALLOW any-user to manage file-family in compartment <oke-compartment-name> where request.principal.type = 'cluster'
+ALLOW any-user to use virtual-network-family in compartment <oke-compartment-name> where request.principal.type = 'cluster'
+```
+
+If the compartment to which a node pool, worker node subnet, file system, or mount target belongs, is different to the compartment to which a cluster belongs, IAM policies must exist to enable the CSI volume plugin to access the appropriate location.
+
+```
+ALLOW any-user to manage file-family in TENANCY where request.principal.type = 'cluster'
+ALLOW any-user to use virtual-network-family in TENANCY where request.principal.type = 'cluster'
+```