|
|
##### Node Service Account, Roles, RoleBindingsapiVersion: v1kind: ServiceAccountmetadata: name: csi-gce-pd-node-sa namespace: kube-system
---##### Controller Service Account, Roles, RolebindingsapiVersion: v1kind: ServiceAccountmetadata: name: csi-gce-pd-controller-sa namespace: kube-system
---# xref: https://github.com/kubernetes-csi/external-provisioner/blob/master/deploy/kubernetes/rbac.yamlkind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1metadata: name: csi-gce-pd-provisioner-rolerules: - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "create", "delete"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "list", "watch", "update"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["events"] verbs: ["list", "watch", "create", "update", "patch"] - apiGroups: ["storage.k8s.io"] resources: ["csinodes"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list", "watch"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshots"] verbs: ["get", "list"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotcontents"] verbs: ["get", "list"] # Access to volumeattachments is only needed when the CSI driver # has the PUBLISH_UNPUBLISH_VOLUME controller capability. # In that case, external-provisioner will watch volumeattachments # to determine when it is safe to delete a volume. - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments"] verbs: ["get", "list", "watch"]---
kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata: name: csi-gce-pd-controller-provisioner-bindingsubjects: - kind: ServiceAccount name: csi-gce-pd-controller-sa namespace: kube-systemroleRef: kind: ClusterRole name: csi-gce-pd-provisioner-role apiGroup: rbac.authorization.k8s.io
---# xref: https://github.com/kubernetes-csi/external-attacher/blob/master/deploy/kubernetes/rbac.yamlkind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1metadata: name: csi-gce-pd-attacher-rolerules: - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "update", "patch"] - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["csinodes"] verbs: ["get", "list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments"] verbs: ["get", "list", "watch", "update", "patch"] - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments/status"] verbs: ["patch"]---
kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata: name: csi-gce-pd-controller-attacher-bindingsubjects: - kind: ServiceAccount name: csi-gce-pd-controller-sa namespace: kube-systemroleRef: kind: ClusterRole name: csi-gce-pd-attacher-role apiGroup: rbac.authorization.k8s.io
---
apiVersion: scheduling.k8s.io/v1kind: PriorityClassmetadata: name: csi-gce-pd-controllervalue: 900000000globalDefault: falsedescription: "This priority class should be used for the GCE PD CSI driver controller deployment only."
---
apiVersion: scheduling.k8s.io/v1kind: PriorityClassmetadata: name: csi-gce-pd-nodevalue: 900001000globalDefault: falsedescription: "This priority class should be used for the GCE PD CSI driver node deployment only."
---
# Resizer must be able to work with PVCs, PVs, SCs.kind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1metadata: name: csi-gce-pd-resizer-rolerules: - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "update", "patch"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["persistentvolumeclaims/status"] verbs: ["update", "patch"] - apiGroups: [""] resources: ["events"] verbs: ["list", "watch", "create", "update", "patch"] # If handle-volume-inuse-error=true, the pod specific rbac is needed - apiGroups: [""] resources: ["pods"] verbs: ["get", "list", "watch"]
---kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata: name: csi-gce-pd-resizer-bindingsubjects: - kind: ServiceAccount name: csi-gce-pd-controller-sa namespace: kube-systemroleRef: kind: ClusterRole name: csi-gce-pd-resizer-role apiGroup: rbac.authorization.k8s.io---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata: name: csi-gce-pd-controllerroleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: csi-gce-pd-node-deploysubjects:- kind: ServiceAccount name: csi-gce-pd-controller-sa namespace: kube-system
---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata: name: csi-gce-pd-snapshotter-rolerules: - apiGroups: [""] resources: ["events"] verbs: ["list", "watch", "create", "update", "patch"] # Secrets resource omitted since GCE PD snapshots does not require them - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotclasses"] verbs: ["get", "list", "watch"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotcontents"] verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotcontents/status"] verbs: ["update", "patch"]---
kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata: name: csi-gce-pd-controller-snapshotter-bindingsubjects: - kind: ServiceAccount name: csi-gce-pd-controller-sa namespace: kube-systemroleRef: kind: ClusterRole name: csi-gce-pd-snapshotter-role apiGroup: rbac.authorization.k8s.io---
kind: RoleapiVersion: rbac.authorization.k8s.io/v1metadata: name: csi-gce-pd-leaderelection-role namespace: kube-system labels: k8s-app: gcp-compute-persistent-disk-csi-driverrules:- apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "watch", "list", "delete", "update", "create"]
---
kind: RoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata: name: csi-gce-pd-controller-leaderelection-binding namespace: kube-system labels: k8s-app: gcp-compute-persistent-disk-csi-driversubjects:- kind: ServiceAccount name: csi-gce-pd-controller-sa namespace: kube-systemroleRef: kind: Role name: csi-gce-pd-leaderelection-role apiGroup: rbac.authorization.k8s.io
|
