kubespray/roles/kubernetes-apps/scheduler_plugins/templates/rbac-scheduler-plugins.yaml.j2

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: scheduler-plugins-scheduler
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["", "events.k8s.io"]
  resources: ["events"]
  verbs: ["create", "patch", "update"]
- apiGroups: ["coordination.k8s.io"]
  resources: ["leases"]
  verbs: ["create"]
- apiGroups: ["coordination.k8s.io"]
  resourceNames: ["kube-scheduler"]
  resources: ["leases"]
  verbs: ["get", "update"]
- apiGroups: [""]
  resources: ["endpoints"]
  verbs: ["create"]
- apiGroups: [""]
  resourceNames: ["kube-scheduler"]
  resources: ["endpoints"]
  verbs: ["get", "update"]
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "list", "watch", "patch"]
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["delete", "get", "list", "watch", "update"]
- apiGroups: [""]
  resources: ["bindings", "pods/binding"]
  verbs: ["create"]
- apiGroups: [""]
  resources: ["pods/status"]
  verbs: ["patch", "update"]
- apiGroups: [""]
  resources: ["replicationcontrollers", "services"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["apps", "extensions"]
  resources: ["replicasets"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
  resources: ["statefulsets"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["policy"]
  resources: ["poddisruptionbudgets"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["persistentvolumeclaims", "persistentvolumes"]
  verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: ["authentication.k8s.io"]
  resources: ["tokenreviews"]
  verbs: ["create"]
- apiGroups: ["authorization.k8s.io"]
  resources: ["subjectaccessreviews"]
  verbs: ["create"]
- apiGroups: ["storage.k8s.io"]
  resources: ["csinodes", "storageclasses" , "csidrivers" , "csistoragecapacities"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["topology.node.k8s.io"]
  resources: ["noderesourcetopologies"]
  verbs: ["get", "list", "watch"]
# resources need to be updated with the scheduler plugins used
- apiGroups: ["scheduling.x-k8s.io"]
  resources: ["podgroups", "elasticquotas", "podgroups/status", "elasticquotas/status"]
  verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
# for network-aware plugins add the following lines (scheduler-plugins v0.27.8)
#- apiGroups: [ "appgroup.diktyo.x-k8s.io" ]
#  resources: [ "appgroups" ]
#  verbs: [ "get", "list", "watch", "create", "delete", "update", "patch" ]
#- apiGroups: [ "networktopology.diktyo.x-k8s.io" ]
#  resources: [ "networktopologies" ]
#  verbs: [ "get", "list", "watch", "create", "delete", "update", "patch" ]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: scheduler-plugins-scheduler
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: scheduler-plugins-scheduler
subjects:
- kind: ServiceAccount
  name: scheduler-plugins-scheduler
  namespace: {{ scheduler_plugins_namespace }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: scheduler-plugins-controller
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["events"]
  verbs: ["create", "patch", "update"]
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["topology.node.k8s.io"]
  resources: ["noderesourcetopologies"]
  verbs: ["get", "list", "watch"]
# resources need to be updated with the scheduler plugins used
- apiGroups: ["scheduling.x-k8s.io"]
  resources: ["podgroups", "elasticquotas", "podgroups/status", "elasticquotas/status"]
  verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: scheduler-plugins-controller
subjects:
- kind: ServiceAccount
  name: scheduler-plugins-controller
  namespace: {{ scheduler_plugins_namespace }}
roleRef:
  kind: ClusterRole
  name: scheduler-plugins-controller
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: sched-plugins::extension-apiserver-authentication-reader
  namespace: kube-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
  name: scheduler-plugins-scheduler
  namespace: {{ scheduler_plugins_namespace }}
- kind: ServiceAccount
  name: scheduler-plugins-controller
  namespace: {{ scheduler_plugins_namespace }}