vnfs/DAaaS/00-init/rook-ceph/templates/clusterrole.yaml

   1 {{- if .Values.rbacEnable }}
   2 # The cluster role for managing all the cluster-specific resources in a namespace
   3 apiVersion: rbac.authorization.k8s.io/v1beta1
   4 kind: ClusterRole
   5 metadata:
   6   name: rook-ceph-cluster-mgmt
   7   labels:
   8     operator: rook
   9     storage-backend: ceph
  10 rules:
  11 - apiGroups:
  12   - ""
  13   resources:
  14   - secrets
  15   - pods
  16   - pods/log
  17   - services
  18   - configmaps
  19   verbs:
  20   - get
  21   - list
  22   - watch
  23   - patch
  24   - create
  25   - update
  26   - delete
  27 - apiGroups:
  28   - extensions
  29   resources:
  30   - deployments
  31   - daemonsets
  32   - replicasets
  33   verbs:
  34   - get
  35   - list
  36   - watch
  37   - create
  38   - update
  39   - delete
  40 ---
  41 # The cluster role for managing the Rook CRDs
  42 apiVersion: rbac.authorization.k8s.io/v1beta1
  43 kind: ClusterRole
  44 metadata:
  45   name: rook-ceph-global
  46   labels:
  47     operator: rook
  48     storage-backend: ceph
  49 rules:
  50 - apiGroups:
  51   - ""
  52   resources:
  53   # Pod access is needed for fencing
  54   - pods
  55   # Node access is needed for determining nodes where mons should run
  56   - nodes
  57   - nodes/proxy
  58   verbs:
  59   - get
  60   - list
  61   - watch
  62 - apiGroups:
  63   - ""
  64   resources:
  65   - events
  66   # PVs and PVCs are managed by the Rook provisioner
  67   - persistentvolumes
  68   - persistentvolumeclaims
  69   verbs:
  70   - get
  71   - list
  72   - watch
  73   - patch
  74   - create
  75   - update
  76   - delete
  77 - apiGroups:
  78   - storage.k8s.io
  79   resources:
  80   - storageclasses
  81   verbs:
  82   - get
  83   - list
  84   - watch
  85 - apiGroups:
  86   - batch
  87   resources:
  88   - jobs
  89   verbs:
  90   - get
  91   - list
  92   - watch
  93   - create
  94   - update
  95   - delete
  96 - apiGroups:
  97   - ceph.rook.io
  98   resources:
  99   - "*"
 100   verbs:
 101   - "*"
 102 - apiGroups:
 103   - rook.io
 104   resources:
 105   - "*"
 106   verbs:
 107   - "*"
 108 ---
 109 # Aspects of ceph-mgr that require cluster-wide access
 110 kind: ClusterRole
 111 apiVersion: rbac.authorization.k8s.io/v1beta1
 112 metadata:
 113   name: rook-ceph-mgr-cluster
 114   labels:
 115     operator: rook
 116     storage-backend: ceph
 117 rules:
 118 - apiGroups:
 119   - ""
 120   resources:
 121   - configmaps
 122   - nodes
 123   - nodes/proxy
 124   verbs:
 125   - get
 126   - list
 127   - watch
 128 {{- if ((.Values.agent) and .Values.agent.mountSecurityMode) and ne .Values.agent.mountSecurityMode "Any" }}
 129 ---
 130 apiVersion: rbac.authorization.k8s.io/v1beta1
 131 kind: ClusterRole
 132 metadata:
 133   name: rook-ceph-agent-mount
 134   labels:
 135     operator: rook
 136     storage-backend: ceph
 137 rules:
 138 - apiGroups:
 139   - ""
 140   resources:
 141   - secrets
 142   verbs:
 143   - get
 144 {{- end }}
 145 {{- if .Values.pspEnable }}
 146 ---
 147 apiVersion: rbac.authorization.k8s.io/v1beta1
 148 kind: ClusterRole
 149 metadata:
 150   name: rook-ceph-system-psp-user
 151   labels:
 152     operator: rook
 153     storage-backend: ceph
 154     chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
 155 rules:
 156 - apiGroups:
 157   - extensions
 158   resources:
 159   - podsecuritypolicies
 160   resourceNames:
 161   - 00-rook-ceph-operator
 162   verbs:
 163   - use
 164 {{- end }}
 165 {{- end }}