{{- if .Values.serviceAccount.csiController.create -}} kind: ServiceAccount apiVersion: v1 metadata: name: {{ .Values.serviceAccount.csiController.name }} labels: {{- include "jiva.csiController.labels" . | nindent 4 }} namespace: {{ .Release.Namespace }} {{- end }} {{- if .Values.rbac.create }} --- # jiva csi roles and bindings kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: openebs-jiva-csi-snapshotter-binding labels: {{- include "jiva.csiController.labels" . | nindent 4 }} subjects: - kind: ServiceAccount name: {{ .Values.serviceAccount.csiController.name }} namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole name: openebs-jiva-csi-snapshotter-role apiGroup: rbac.authorization.k8s.io --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: openebs-jiva-csi-snapshotter-role labels: {{- include "jiva.csiController.labels" . | nindent 4 }} rules: - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["events"] verbs: ["list", "watch", "create", "update", "patch"] - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotclasses"] verbs: ["get", "list", "watch"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotcontents"] verbs: ["create", "get", "list", "watch", "update", "delete"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotcontents/status"] verbs: ["update"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshots"] verbs: ["get", "list", "watch", "update"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshots/status"] verbs: ["update"] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "watch", "list", "delete", "update", "create"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["create", "list", "watch", "delete", "get", "update"] --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: openebs-jiva-csi-provisioner-role labels: {{- include "jiva.csiController.labels" . | nindent 4 }} rules: - apiGroups: [""] resources: ["secrets","namespaces"] verbs: ["get", "list"] - apiGroups: [ "" ] resources: [ "pods" ] verbs: [ "get", "list", "watch" ] - apiGroups: [""] resources: ["persistentvolumes", "services"] verbs: ["get", "list", "watch", "create", "delete", "update", "patch"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "list", "watch", "update"] - apiGroups: [""] resources: ["persistentvolumeclaims/status"] verbs: ["update", "patch"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses", "csinodes"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["events"] verbs: ["list", "watch", "create", "update", "patch"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshots"] verbs: ["get", "list"] - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments"] verbs: ["get", "list", "watch", "create", "delete", "update", "patch"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotcontents"] verbs: ["get", "list"] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["*"] - apiGroups: ["*"] resources: ["jivavolumeattachments", "jivavolumes","jivavolumeconfigs"] verbs: ["*"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: openebs-jiva-csi-provisioner-binding labels: {{- include "jiva.csiController.labels" . | nindent 4 }} subjects: - kind: ServiceAccount name: {{ .Values.serviceAccount.csiController.name }} namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole name: openebs-jiva-csi-provisioner-role apiGroup: rbac.authorization.k8s.io --- ############################## CSI- Attacher ####################### # Attacher must be able to work with PVs, nodes and VolumeAttachments kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: openebs-jiva-csi-attacher-role labels: {{- include "jiva.csiController.labels" . | nindent 4 }} rules: - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "update"] - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list", "watch"] - apiGroups: ["csi.storage.k8s.io"] resources: ["csinodeinfos"] verbs: ["get", "list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments", "csinodes"] verbs: ["get", "list", "watch", "update"] - apiGroups: [ "storage.k8s.io" ] resources: [ "volumeattachments/status" ] verbs: [ "patch" ] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: openebs-jiva-csi-attacher-binding labels: {{- include "jiva.csiController.labels" . | nindent 4 }} subjects: - kind: ServiceAccount name: {{ .Values.serviceAccount.csiController.name }} namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole name: openebs-jiva-csi-attacher-role apiGroup: rbac.authorization.k8s.io --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: openebs-jiva-csi-cluster-registrar-role labels: {{- include "jiva.csiController.labels" . | nindent 4 }} rules: - apiGroups: ["csi.storage.k8s.io"] resources: ["csidrivers"] verbs: ["create", "delete"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: openebs-jiva-csi-cluster-registrar-binding labels: {{- include "jiva.csiController.labels" . | nindent 4 }} subjects: - kind: ServiceAccount name: {{ .Values.serviceAccount.csiController.name }} namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole name: openebs-jiva-csi-cluster-registrar-role apiGroup: rbac.authorization.k8s.io {{- end }}