mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-28 05:57:25 +00:00
Add bootstrap cluster role for external pv provisioners
This commit is contained in:
Matthew Wong
parent
68f123dfa0
commit
caefe1a9ed
@ -284,6 +284,21 @@ func ClusterRoles() []rbac.ClusterRole {
|
|||||||
rbac.NewRule("list", "watch").Groups(batchGroup).Resources("jobs", "cronjobs").RuleOrDie(),
|
rbac.NewRule("list", "watch").Groups(batchGroup).Resources("jobs", "cronjobs").RuleOrDie(),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
// a role for an external/out-of-tree persistent volume provisioner
|
||||||
|
ObjectMeta: metav1.ObjectMeta{Name: "system:persistent-volume-provisioner"},
|
||||||
|
Rules: []rbac.PolicyRule{
|
||||||
|
rbac.NewRule("get", "list", "watch", "create", "delete").Groups(legacyGroup).Resources("persistentvolumes").RuleOrDie(),
|
||||||
|
// update is needed in addition to read access for setting lock annotations on PVCs
|
||||||
|
rbac.NewRule("get", "list", "watch", "update").Groups(legacyGroup).Resources("persistentvolumeclaims").RuleOrDie(),
|
||||||
|
rbac.NewRule(Read...).Groups(storageGroup).Resources("storageclasses").RuleOrDie(),
|
||||||
|
|
||||||
|
// Needed for watching provisioning success and failure events
|
||||||
|
rbac.NewRule("watch").Groups(legacyGroup).Resources("events").RuleOrDie(),
|
||||||
|
|
||||||
|
eventsRule(),
|
||||||
|
},
|
||||||
|
},
|
||||||
}
|
}
|
||||||
addClusterRoleLabel(roles)
|
addClusterRoleLabel(roles)
|
||||||
return roles
|
return roles
|
||||||
|
|||||||
@ -653,6 +653,55 @@ items:
|
|||||||
- patch
|
- patch
|
||||||
- update
|
- update
|
||||||
- apiVersion: rbac.authorization.k8s.io/v1alpha1
|
- apiVersion: rbac.authorization.k8s.io/v1alpha1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
|
labels:
|
||||||
|
kubernetes.io/bootstrapping: rbac-defaults
|
||||||
|
name: system:persistent-volume-provisioner
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- ""
|
||||||
|
resources:
|
||||||
|
- persistentvolumes
|
||||||
|
verbs:
|
||||||
|
- create
|
||||||
|
- delete
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- watch
|
||||||
|
- apiGroups:
|
||||||
|
- ""
|
||||||
|
resources:
|
||||||
|
- persistentvolumeclaims
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- update
|
||||||
|
- watch
|
||||||
|
- apiGroups:
|
||||||
|
- storage.k8s.io
|
||||||
|
resources:
|
||||||
|
- storageclasses
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- watch
|
||||||
|
- apiGroups:
|
||||||
|
- ""
|
||||||
|
resources:
|
||||||
|
- events
|
||||||
|
verbs:
|
||||||
|
- watch
|
||||||
|
- apiGroups:
|
||||||
|
- ""
|
||||||
|
resources:
|
||||||
|
- events
|
||||||
|
verbs:
|
||||||
|
- create
|
||||||
|
- patch
|
||||||
|
- update
|
||||||
|
- apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
kind: ClusterRole
|
kind: ClusterRole
|
||||||
metadata:
|
metadata:
|
||||||
creationTimestamp: null
|
creationTimestamp: null
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user