From d1538d7986cb0f00b718db55dc745eb70c0b9646 Mon Sep 17 00:00:00 2001 From: David Zhu Date: Tue, 4 Jun 2019 18:10:50 -0700 Subject: [PATCH] Update RBAC rules for external provisioner and attacher to the updated roles required based on upstream repositories --- deploy/kubernetes/base/setup-cluster.yaml | 15 +++--- .../overlays/alpha/rbac_add_snapshotter.yaml | 46 ++++++++++--------- 2 files changed, 34 insertions(+), 27 deletions(-) diff --git a/deploy/kubernetes/base/setup-cluster.yaml b/deploy/kubernetes/base/setup-cluster.yaml index a05db30ad..73516abb4 100644 --- a/deploy/kubernetes/base/setup-cluster.yaml +++ b/deploy/kubernetes/base/setup-cluster.yaml @@ -54,12 +54,15 @@ rules: - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] - apiGroups: ["storage.k8s.io"] resources: ["csinodes"] verbs: ["get", "list", "watch"] - apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] + resources: ["nodes"] + verbs: ["get", "list", "watch"] --- @@ -85,16 +88,16 @@ metadata: rules: - apiGroups: [""] resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "update"] + verbs: ["get", "list", "watch", "update", "patch"] - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list", "watch"] - - apiGroups: ["csi.storage.k8s.io"] - resources: ["csinodeinfos"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] verbs: ["get", "list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments"] - verbs: ["get", "list", "watch", "update"] + verbs: ["get", "list", "watch", "update", "patch"] --- diff --git a/deploy/kubernetes/overlays/alpha/rbac_add_snapshotter.yaml b/deploy/kubernetes/overlays/alpha/rbac_add_snapshotter.yaml index 737f05e4f..2838e7753 100644 --- a/deploy/kubernetes/overlays/alpha/rbac_add_snapshotter.yaml +++ b/deploy/kubernetes/overlays/alpha/rbac_add_snapshotter.yaml @@ -4,27 +4,31 @@ kind: ClusterRole metadata: name: external-snapshotter-role rules: -- apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotclasses"] - verbs: ["get", "list", "watch"] -- apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents"] - verbs: ["create", "get", "list", "watch", "update", "delete"] -- apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshots"] - verbs: ["get", "list", "watch", "update"] -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["create", "list", "watch", "delete"] -- apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] -- apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["watch", "get", "list"] -- apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["create"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + # Secrets resource ommitted since GCE PD snapshots does not require them + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["create", "list", "watch", "delete"] ---