|
|
##### Node Service Account, Roles, RoleBindingsapiVersion: v1kind: ServiceAccountmetadata: name: csi-gce-pd-node-sa namespace: kube-system
---##### Controller Service Account, Roles, RolebindingsapiVersion: v1kind: ServiceAccountmetadata: name: csi-gce-pd-controller-sa namespace: kube-system
---# xref: https://github.com/kubernetes-csi/external-provisioner/blob/master/deploy/kubernetes/rbac.yamlkind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1metadata: name: csi-gce-pd-provisioner-rolerules: - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "create", "delete"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "list", "watch", "update"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["events"] verbs: ["list", "watch", "create", "update", "patch"] - apiGroups: ["storage.k8s.io"] resources: ["csinodes"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list", "watch"]
---kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata: name: csi-gce-pd-controller-provisioner-bindingsubjects: - kind: ServiceAccount name: csi-gce-pd-controller-sa namespace: kube-systemroleRef: kind: ClusterRole name: csi-gce-pd-provisioner-role apiGroup: rbac.authorization.k8s.io
---# xref: https://github.com/kubernetes-csi/external-attacher/blob/master/deploy/kubernetes/rbac.yamlkind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1metadata: name: csi-gce-pd-attacher-rolerules: - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "update", "patch"] - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["csinodes"] verbs: ["get", "list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments"] verbs: ["get", "list", "watch", "update", "patch"] - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments/status"] verbs: ["patch"]---
kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata: name: csi-gce-pd-controller-attacher-bindingsubjects: - kind: ServiceAccount name: csi-gce-pd-controller-sa namespace: kube-systemroleRef: kind: ClusterRole name: csi-gce-pd-attacher-role apiGroup: rbac.authorization.k8s.io
---
apiVersion: scheduling.k8s.io/v1kind: PriorityClassmetadata: name: csi-gce-pd-controllervalue: 900000000globalDefault: falsedescription: "This priority class should be used for the GCE PD CSI driver controller deployment only."
---
apiVersion: scheduling.k8s.io/v1kind: PriorityClassmetadata: name: csi-gce-pd-nodevalue: 900001000globalDefault: falsedescription: "This priority class should be used for the GCE PD CSI driver node deployment only."
---
# Resizer must be able to work with PVCs, PVs, SCs.kind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1metadata: name: csi-gce-pd-resizer-rolerules: - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "update", "patch"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["persistentvolumeclaims/status"] verbs: ["update", "patch"] - apiGroups: [""] resources: ["events"] verbs: ["list", "watch", "create", "update", "patch"]
---kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata: name: csi-gce-pd-resizer-bindingsubjects: - kind: ServiceAccount name: csi-gce-pd-controller-sa namespace: kube-systemroleRef: kind: ClusterRole name: csi-gce-pd-resizer-role apiGroup: rbac.authorization.k8s.io
---apiVersion: policy/v1beta1kind: PodSecurityPolicymetadata: name: csi-gce-pd-node-pspspec: seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny privileged: true volumes: - '*' hostNetwork: true allowedHostPaths: - pathPrefix: "/var/lib/kubelet/plugins_registry/" - pathPrefix: "/var/lib/kubelet" - pathPrefix: "/var/lib/kubelet/plugins/pd.csi.storage.gke.io/" - pathPrefix: "/dev" - pathPrefix: "/etc/udev" - pathPrefix: "/lib/udev" - pathPrefix: "/run/udev" - pathPrefix: "/sys"---
kind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1metadata: name: csi-gce-pd-node-deployrules: - apiGroups: ['policy'] resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: - csi-gce-pd-node-psp---
apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata: name: csi-gce-pd-noderoleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: csi-gce-pd-node-deploysubjects:- kind: ServiceAccount name: csi-gce-pd-node-sa namespace: kube-system
|
