Skip to content

Commit

Permalink
build: add rbac for default sa
Browse files Browse the repository at this point in the history 
rook csv doesnt contain the default
service account

recently we added default sa for most
of the ceph daemons but it didnt have the
rbacs, so added the rbacs to it
so rook csv can generate default sa

Signed-off-by: parth-gr <partharora1010@gmail.com>
  • Loading branch information
@parth-gr
parth-gr committed Mar 12, 2024
1 parent 571f47f commit c658d7f
Show file tree
Hide file tree
Showing 3 changed files with 49 additions and 0 deletions.
10 changes: 10 additions & 0 deletions deploy/charts/library/templates/_cluster-role.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -148,4 +148,14 @@ rules:
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "update", "delete", "list"]
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rook-ceph-default
namespace: {{ .Release.Namespace }} # namespace:cluster
rules:
- apiGroups: [""]
resources: ["pod"]
verbs: ["get"]
{{- end }}
14 changes: 14 additions & 0 deletions deploy/charts/library/templates/_cluster-rolebinding.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -105,4 +105,18 @@ subjects:
- kind: ServiceAccount
name: rook-ceph-purge-osd
namespace: {{ .Release.Namespace }} # namespace:cluster
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rook-ceph-default
namespace: {{ .Release.Namespace }} # namespace:cluster
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: rook-ceph-default
subjects:
- kind: ServiceAccount
name: rook-ceph-default
namespace: {{ .Release.Namespace }} # namespace:cluster
{{- end }}
25 changes: 25 additions & 0 deletions deploy/examples/common.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -790,6 +790,17 @@ rules:
- update
- delete
---
# Aspects of ceph osd purge job that require access to the cluster namespace
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rook-ceph-default
namespace: rook-ceph # namespace:cluster
rules:
- apiGroups: [""]
resources: ["pod"]
verbs: ["get"]
---
# Aspects of ceph-mgr that operate within the cluster's namespace
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
Expand Down Expand Up @@ -1052,6 +1063,20 @@ subjects:
name: rook-ceph-cmd-reporter
namespace: rook-ceph # namespace:cluster
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rook-ceph-default
namespace: rook-ceph # namespace:cluster
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: rook-ceph-default
subjects:
- kind: ServiceAccount
name: rook-ceph-default
namespace: rook-ceph # namespace:cluster
---
# Allow the ceph mgr to access resources scoped to the CephCluster namespace necessary for mgr modules
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
Expand Down

0 comments on commit c658d7f

Please sign in to comment.