diff --git a/deploy/chart/local-path-provisioner/templates/clusterrole.yaml b/deploy/chart/local-path-provisioner/templates/clusterrole.yaml index a9fd1c675e2aa4fa4a8a0548b79ddbf1f321195f..7f58506a4569d8384cde052c2128f4a05367c231 100644 --- a/deploy/chart/local-path-provisioner/templates/clusterrole.yaml +++ b/deploy/chart/local-path-provisioner/templates/clusterrole.yaml @@ -6,16 +6,19 @@ metadata: labels: {{ include "local-path-provisioner.labels" . | indent 4 }} rules: -- apiGroups: [""] - resources: ["nodes", "persistentvolumeclaims", "configmaps"] - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: ["endpoints", "persistentvolumes", "pods"] - verbs: ["*"] -- apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] -- apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["nodes", "persistentvolumeclaims", "configmaps"] + verbs: ["get", "list", "watch"] + - apiGroups: [ "" ] + resources: [ "pods" ] + verbs: [ "get", "list", "watch" ] + - apiGroups: [""] + resources: ["endpoints", "persistentvolumes"] + verbs: ["*"] + - apiGroups: [ "" ] + resources: [ "events" ] + verbs: [ "create", "patch" ] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] {{- end -}} diff --git a/deploy/chart/local-path-provisioner/templates/role.yaml b/deploy/chart/local-path-provisioner/templates/role.yaml new file mode 100644 index 0000000000000000000000000000000000000000..9562816b1d7d819fec275d38756cac575e9485f5 --- /dev/null +++ b/deploy/chart/local-path-provisioner/templates/role.yaml @@ -0,0 +1,13 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "local-path-provisioner.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: +{{ include "local-path-provisioner.labels" . | indent 4 }} +rules: + - apiGroups: [ "" ] + resources: [ "pods" ] + verbs: ["get", "list", "watch", "create", "patch", "update", "delete"] +{{- end -}} diff --git a/deploy/chart/local-path-provisioner/templates/rolebinding.yaml b/deploy/chart/local-path-provisioner/templates/rolebinding.yaml new file mode 100644 index 0000000000000000000000000000000000000000..53295c31ae6ef3eda4130a4c140163fdf025832a --- /dev/null +++ b/deploy/chart/local-path-provisioner/templates/rolebinding.yaml @@ -0,0 +1,17 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "local-path-provisioner.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: +{{ include "local-path-provisioner.labels" . | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "local-path-provisioner.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "local-path-provisioner.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/deploy/local-path-storage.yaml b/deploy/local-path-storage.yaml index 2130dfea260e5a8db491a504f3d2545627b6870d..81864f05f1f31fad6ae7d2d20cf095f817edd50e 100644 --- a/deploy/local-path-storage.yaml +++ b/deploy/local-path-storage.yaml @@ -10,6 +10,17 @@ metadata: name: local-path-provisioner-service-account namespace: local-path-storage +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: local-path-provisioner-role + namespace: local-path-storage +rules: + - apiGroups: [ "" ] + resources: [ "pods" ] + verbs: ["get", "list", "watch", "create", "patch", "update", "delete"] + --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -20,7 +31,10 @@ rules: resources: [ "nodes", "persistentvolumeclaims", "configmaps" ] verbs: [ "get", "list", "watch" ] - apiGroups: [ "" ] - resources: [ "endpoints", "persistentvolumes", "pods" ] + resources: [ "pods" ] + verbs: [ "get", "list", "watch" ] + - apiGroups: [ "" ] + resources: [ "endpoints", "persistentvolumes" ] verbs: [ "*" ] - apiGroups: [ "" ] resources: [ "events" ] @@ -29,6 +43,21 @@ rules: resources: [ "storageclasses" ] verbs: [ "get", "list", "watch" ] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: local-path-provisioner-bind + namespace: local-path-storage +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: local-path-provisioner-role +subjects: + - kind: ServiceAccount + name: local-path-provisioner-service-account + namespace: local-path-storage + --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/examples/quota/local-path-storage.yaml b/examples/quota/local-path-storage.yaml index 9edb948e05683fa5f99909939d9e98eb2df2bf34..e489eca75dae79f181d6cf15fd43158faecc8a1a 100644 --- a/examples/quota/local-path-storage.yaml +++ b/examples/quota/local-path-storage.yaml @@ -10,6 +10,17 @@ metadata: name: local-path-provisioner-service-account namespace: local-path-storage +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: local-path-provisioner-role + namespace: local-path-storage +rules: + - apiGroups: [ "" ] + resources: [ "pods" ] + verbs: ["get", "list", "watch", "create", "patch", "update", "delete"] + --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -20,7 +31,10 @@ rules: resources: [ "nodes", "persistentvolumeclaims", "configmaps" ] verbs: [ "get", "list", "watch" ] - apiGroups: [ "" ] - resources: [ "endpoints", "persistentvolumes", "pods" ] + resources: [ "pods" ] + verbs: [ "get", "list", "watch" ] + - apiGroups: [ "" ] + resources: [ "endpoints", "persistentvolumes" ] verbs: [ "*" ] - apiGroups: [ "" ] resources: [ "events" ] @@ -29,6 +43,21 @@ rules: resources: [ "storageclasses" ] verbs: [ "get", "list", "watch" ] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: local-path-provisioner-bind + namespace: local-path-storage +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: local-path-provisioner-role +subjects: + - kind: ServiceAccount + name: local-path-provisioner-service-account + namespace: local-path-storage + --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding