1 # ============LICENSE_START=======================================================
2 # Copyright (C) 2021 The Nordix Foundation. All rights reserved.
3 # ================================================================================
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
8 # http://www.apache.org/licenses/LICENSE-2.0
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
16 # SPDX-License-Identifier: Apache-2.0
17 # ============LICENSE_END=========================================================
19 ###################################################################################################################
20 # Create the common resources that are necessary to start the operator and the ceph cluster.
21 # These resources *must* be created before the operator.yaml and cluster.yaml or their variants.
22 # The samples all assume that a single operator will manage a single cluster crd in the same "rook-ceph" namespace.
24 # If the operator needs to manage multiple clusters (in different namespaces), see the section below
25 # for "cluster-specific resources". The resources below that section will need to be created for each namespace
26 # where the operator needs to manage the cluster. The resources above that section do not be created again.
28 # Most of the sections are prefixed with a 'OLM' keyword which is used to build our CSV for an OLM (Operator Life Cycle manager)
29 ###################################################################################################################
31 # Namespace where the operator and other rook resources are created
35 name: "{{ rook_namespace }}" # namespace:cluster
36 # OLM: BEGIN OBJECTBUCKET ROLEBINDING
38 kind: ClusterRoleBinding
39 apiVersion: rbac.authorization.k8s.io/v1
41 name: rook-ceph-object-bucket
43 apiGroup: rbac.authorization.k8s.io
45 name: rook-ceph-object-bucket
47 - kind: ServiceAccount
48 name: rook-ceph-system
49 namespace: "{{ rook_namespace }}" # namespace:operator
50 # OLM: END OBJECTBUCKET ROLEBINDING
51 # OLM: BEGIN OPERATOR ROLE
56 name: rook-ceph-admission-controller
57 namespace: "{{ rook_namespace }}" # namespace:operator
60 apiVersion: rbac.authorization.k8s.io/v1
62 name: rook-ceph-admission-controller-role
64 - apiGroups: ["ceph.rook.io"]
66 verbs: ["get", "watch", "list"]
68 kind: ClusterRoleBinding
69 apiVersion: rbac.authorization.k8s.io/v1
71 name: rook-ceph-admission-controller-rolebinding
73 - kind: ServiceAccount
74 name: rook-ceph-admission-controller
76 namespace: "{{ rook_namespace }}" # namespace:operator
79 name: rook-ceph-admission-controller-role
80 apiGroup: rbac.authorization.k8s.io
82 # The cluster role for managing all the cluster-specific resources in a namespace
83 apiVersion: rbac.authorization.k8s.io/v1
86 name: rook-ceph-cluster-mgmt
112 # The role for the operator to manage resources in its own namespace
113 apiVersion: rbac.authorization.k8s.io/v1
116 name: rook-ceph-system
117 namespace: "{{ rook_namespace }}" # namespace:operator
120 storage-backend: ceph
151 # The cluster role for managing the Rook CRDs
152 apiVersion: rbac.authorization.k8s.io/v1
155 name: rook-ceph-global
158 storage-backend: ceph
163 # Pod access is needed for fencing
165 # Node access is needed for determining nodes where mons should run
177 # PVs and PVCs are managed by the Rook provisioner
179 - persistentvolumeclaims
225 # This is for the clusterdisruption controller
226 - poddisruptionbudgets
227 # This is for both clusterdisruption and nodedrain controllers
233 - healthchecking.openshift.io
235 - machinedisruptionbudgets
244 - machine.openshift.io
266 - network-attachment-definitions
270 # Aspects of ceph-mgr that require cluster-wide access
272 apiVersion: rbac.authorization.k8s.io/v1
274 name: rook-ceph-mgr-cluster
277 storage-backend: ceph
301 apiVersion: rbac.authorization.k8s.io/v1
303 name: rook-ceph-object-bucket
306 storage-backend: ceph
329 # OLM: END OPERATOR ROLE
330 # OLM: BEGIN SERVICE ACCOUNT SYSTEM
332 # The rook system service account used by the operator, agent, and discovery pods
336 name: rook-ceph-system
337 namespace: "{{ rook_namespace }}" # namespace:operator
340 storage-backend: ceph
342 # - name: my-registry-secret
344 # OLM: END SERVICE ACCOUNT SYSTEM
345 # OLM: BEGIN OPERATOR ROLEBINDING
347 # Grant the operator, agent, and discovery agents access to resources in the namespace
349 apiVersion: rbac.authorization.k8s.io/v1
351 name: rook-ceph-system
352 namespace: "{{ rook_namespace }}" # namespace:operator
355 storage-backend: ceph
357 apiGroup: rbac.authorization.k8s.io
359 name: rook-ceph-system
361 - kind: ServiceAccount
362 name: rook-ceph-system
363 namespace: "{{ rook_namespace }}" # namespace:operator
365 # Grant the rook system daemons cluster-wide access to manage the Rook CRDs, PVCs, and storage classes
366 kind: ClusterRoleBinding
367 apiVersion: rbac.authorization.k8s.io/v1
369 name: rook-ceph-global
372 storage-backend: ceph
374 apiGroup: rbac.authorization.k8s.io
376 name: rook-ceph-global
378 - kind: ServiceAccount
379 name: rook-ceph-system
380 namespace: "{{ rook_namespace }}" # namespace:operator
381 # OLM: END OPERATOR ROLEBINDING
382 #################################################################################################################
383 # Beginning of cluster-specific resources. The example will assume the cluster will be created in the "rook-ceph"
384 # namespace. If you want to create the cluster in a different namespace, you will need to modify these roles
385 # and bindings accordingly.
386 #################################################################################################################
387 # Service account for the Ceph OSDs. Must exist and cannot be renamed.
388 # OLM: BEGIN SERVICE ACCOUNT OSD
394 namespace: "{{ rook_namespace }}" # namespace:cluster
396 # - name: my-registry-secret
398 # OLM: END SERVICE ACCOUNT OSD
399 # OLM: BEGIN SERVICE ACCOUNT MGR
401 # Service account for the Ceph Mgr. Must exist and cannot be renamed.
406 namespace: "{{ rook_namespace }}" # namespace:cluster
408 # - name: my-registry-secret
410 # OLM: END SERVICE ACCOUNT MGR
411 # OLM: BEGIN CMD REPORTER SERVICE ACCOUNT
416 name: rook-ceph-cmd-reporter
417 namespace: "{{ rook_namespace }}" # namespace:cluster
418 # OLM: END CMD REPORTER SERVICE ACCOUNT
419 # OLM: BEGIN CLUSTER ROLE
422 apiVersion: rbac.authorization.k8s.io/v1
425 namespace: "{{ rook_namespace }}" # namespace:cluster
428 resources: ["configmaps"]
429 verbs: [ "get", "list", "watch", "create", "update", "delete" ]
430 - apiGroups: ["ceph.rook.io"]
431 resources: ["cephclusters", "cephclusters/finalizers"]
432 verbs: [ "get", "list", "create", "update", "delete" ]
435 apiVersion: rbac.authorization.k8s.io/v1
447 # Aspects of ceph-mgr that require access to the system namespace
449 apiVersion: rbac.authorization.k8s.io/v1
451 name: rook-ceph-mgr-system
462 # Aspects of ceph-mgr that operate within the cluster's namespace
464 apiVersion: rbac.authorization.k8s.io/v1
467 namespace: "{{ rook_namespace }}" # namespace:cluster
497 # OLM: END CLUSTER ROLE
498 # OLM: BEGIN CMD REPORTER ROLE
501 apiVersion: rbac.authorization.k8s.io/v1
503 name: rook-ceph-cmd-reporter
504 namespace: "{{ rook_namespace }}" # namespace:cluster
518 # OLM: END CMD REPORTER ROLE
519 # OLM: BEGIN CLUSTER ROLEBINDING
521 # Allow the operator to create resources in this cluster's namespace
523 apiVersion: rbac.authorization.k8s.io/v1
525 name: rook-ceph-cluster-mgmt
526 namespace: "{{ rook_namespace }}" # namespace:cluster
528 apiGroup: rbac.authorization.k8s.io
530 name: rook-ceph-cluster-mgmt
532 - kind: ServiceAccount
533 name: rook-ceph-system
534 namespace: "{{ rook_namespace }}" # namespace:operator
536 # Allow the osd pods in this namespace to work with configmaps
538 apiVersion: rbac.authorization.k8s.io/v1
541 namespace: "{{ rook_namespace }}" # namespace:cluster
543 apiGroup: rbac.authorization.k8s.io
547 - kind: ServiceAccount
549 namespace: "{{ rook_namespace }}" # namespace:cluster
551 # Allow the ceph mgr to access the cluster-specific resources necessary for the mgr modules
553 apiVersion: rbac.authorization.k8s.io/v1
556 namespace: "{{ rook_namespace }}" # namespace:cluster
558 apiGroup: rbac.authorization.k8s.io
562 - kind: ServiceAccount
564 namespace: "{{ rook_namespace }}" # namespace:cluster
566 # Allow the ceph mgr to access the rook system resources necessary for the mgr modules
568 apiVersion: rbac.authorization.k8s.io/v1
570 name: rook-ceph-mgr-system
571 namespace: "{{ rook_namespace }}" # namespace:operator
573 apiGroup: rbac.authorization.k8s.io
575 name: rook-ceph-mgr-system
577 - kind: ServiceAccount
579 namespace: "{{ rook_namespace }}" # namespace:cluster
581 # Allow the ceph mgr to access cluster-wide resources necessary for the mgr modules
582 kind: ClusterRoleBinding
583 apiVersion: rbac.authorization.k8s.io/v1
585 name: rook-ceph-mgr-cluster
587 apiGroup: rbac.authorization.k8s.io
589 name: rook-ceph-mgr-cluster
591 - kind: ServiceAccount
593 namespace: "{{ rook_namespace }}" # namespace:cluster
596 # Allow the ceph osd to access cluster-wide resources necessary for determining their topology location
597 kind: ClusterRoleBinding
598 apiVersion: rbac.authorization.k8s.io/v1
602 apiGroup: rbac.authorization.k8s.io
606 - kind: ServiceAccount
608 namespace: "{{ rook_namespace }}" # namespace:cluster
610 # OLM: END CLUSTER ROLEBINDING
611 # OLM: BEGIN CMD REPORTER ROLEBINDING
614 apiVersion: rbac.authorization.k8s.io/v1
616 name: rook-ceph-cmd-reporter
617 namespace: "{{ rook_namespace }}" # namespace:cluster
619 apiGroup: rbac.authorization.k8s.io
621 name: rook-ceph-cmd-reporter
623 - kind: ServiceAccount
624 name: rook-ceph-cmd-reporter
625 namespace: "{{ rook_namespace }}" # namespace:cluster
626 # OLM: END CMD REPORTER ROLEBINDING
627 #################################################################################################################
628 # Beginning of pod security policy resources. The example will assume the cluster will be created in the
629 # "rook-ceph" namespace. If you want to create the cluster in a different namespace, you will need to modify
630 # the roles and bindings accordingly.
631 #################################################################################################################
632 # OLM: BEGIN CLUSTER POD SECURITY POLICY
634 apiVersion: policy/v1beta1
635 kind: PodSecurityPolicy
637 # Note: Kubernetes matches PSPs to deployments alphabetically. In some environments, this PSP may
638 # need to be renamed with a value that will match before others.
639 name: 00-rook-privileged
641 seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
642 seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
648 # fsGroup - the flexVolume agent has fsGroup capabilities and could potentially be any group
651 # runAsUser, supplementalGroups - Rook needs to run some pods as root
652 # Ceph pods could be run as the Ceph user, but that user isn't always known ahead of time
657 # seLinux - seLinux context is unknown ahead of time; set if this is well-known
661 # recommended minimum set
665 - persistentVolumeClaim
671 # allowedHostPaths can be set to Rook's known host volume mount points when they are fully-known
673 # - pathPrefix: "/run/udev" # for OSD prep
675 # - pathPrefix: "/dev" # for OSD prep
677 # - pathPrefix: "/var/lib/rook" # or whatever the dataDirHostPath value is set to
679 # Ceph requires host IPC for setting up encrypted devices
681 # Ceph OSDs need to share the same PID namespace
683 # hostNetwork can be set to 'false' if host networking isn't used
686 # Ceph messenger protocol v1
688 max: 6790 # <- support old default port
689 # Ceph messenger protocol v2
692 # Ceph RADOS ports for OSDs, MDSes
695 # # Ceph dashboard port HTTP (not recommended)
698 # Ceph dashboard port HTTPS
701 # Ceph mgr Prometheus Metrics
704 # OLM: END CLUSTER POD SECURITY POLICY
705 # OLM: BEGIN POD SECURITY POLICY BINDINGS
707 apiVersion: rbac.authorization.k8s.io/v1
715 - podsecuritypolicies
721 apiVersion: rbac.authorization.k8s.io/v1
722 kind: ClusterRoleBinding
724 name: rook-ceph-system-psp
726 apiGroup: rbac.authorization.k8s.io
730 - kind: ServiceAccount
731 name: rook-ceph-system
732 namespace: "{{ rook_namespace }}" # namespace:operator
734 apiVersion: rbac.authorization.k8s.io/v1
737 name: rook-ceph-default-psp
738 namespace: "{{ rook_namespace }}" # namespace:cluster
740 apiGroup: rbac.authorization.k8s.io
744 - kind: ServiceAccount
746 namespace: "{{ rook_namespace }}" # namespace:cluster
748 apiVersion: rbac.authorization.k8s.io/v1
751 name: rook-ceph-osd-psp
752 namespace: "{{ rook_namespace }}" # namespace:cluster
754 apiGroup: rbac.authorization.k8s.io
758 - kind: ServiceAccount
760 namespace: "{{ rook_namespace }}" # namespace:cluster
762 apiVersion: rbac.authorization.k8s.io/v1
765 name: rook-ceph-mgr-psp
766 namespace: "{{ rook_namespace }}" # namespace:cluster
768 apiGroup: rbac.authorization.k8s.io
772 - kind: ServiceAccount
774 namespace: "{{ rook_namespace }}" # namespace:cluster
776 apiVersion: rbac.authorization.k8s.io/v1
779 name: rook-ceph-cmd-reporter-psp
780 namespace: "{{ rook_namespace }}" # namespace:cluster
782 apiGroup: rbac.authorization.k8s.io
786 - kind: ServiceAccount
787 name: rook-ceph-cmd-reporter
788 namespace: "{{ rook_namespace }}" # namespace:cluster
789 # OLM: END CLUSTER POD SECURITY POLICY BINDINGS
790 # OLM: BEGIN CSI CEPHFS SERVICE ACCOUNT
795 name: rook-csi-cephfs-plugin-sa
796 namespace: "{{ rook_namespace }}" # namespace:operator
801 name: rook-csi-cephfs-provisioner-sa
802 namespace: "{{ rook_namespace }}" # namespace:operator
803 # OLM: END CSI CEPHFS SERVICE ACCOUNT
804 # OLM: BEGIN CSI CEPHFS ROLE
807 apiVersion: rbac.authorization.k8s.io/v1
809 name: cephfs-external-provisioner-cfg
810 namespace: "{{ rook_namespace }}" # namespace:operator
813 resources: ["endpoints"]
814 verbs: ["get", "watch", "list", "delete", "update", "create"]
816 resources: ["configmaps"]
817 verbs: ["get", "list", "create", "delete"]
818 - apiGroups: ["coordination.k8s.io"]
819 resources: ["leases"]
820 verbs: ["get", "watch", "list", "delete", "update", "create"]
821 # OLM: END CSI CEPHFS ROLE
822 # OLM: BEGIN CSI CEPHFS ROLEBINDING
825 apiVersion: rbac.authorization.k8s.io/v1
827 name: cephfs-csi-provisioner-role-cfg
828 namespace: "{{ rook_namespace }}" # namespace:operator
830 - kind: ServiceAccount
831 name: rook-csi-cephfs-provisioner-sa
832 namespace: "{{ rook_namespace }}" # namespace:operator
835 name: cephfs-external-provisioner-cfg
836 apiGroup: rbac.authorization.k8s.io
837 # OLM: END CSI CEPHFS ROLEBINDING
838 # OLM: BEGIN CSI CEPHFS CLUSTER ROLE
841 apiVersion: rbac.authorization.k8s.io/v1
843 name: cephfs-csi-nodeplugin
847 verbs: ["get", "list", "update"]
849 resources: ["namespaces"]
850 verbs: ["get", "list"]
852 resources: ["persistentvolumes"]
853 verbs: ["get", "list", "watch", "update"]
854 - apiGroups: ["storage.k8s.io"]
855 resources: ["volumeattachments"]
856 verbs: ["get", "list", "watch", "update"]
858 resources: ["configmaps"]
859 verbs: ["get", "list"]
862 apiVersion: rbac.authorization.k8s.io/v1
864 name: cephfs-external-provisioner-runner
867 resources: ["secrets"]
868 verbs: ["get", "list"]
870 resources: ["persistentvolumes"]
871 verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
873 resources: ["persistentvolumeclaims"]
874 verbs: ["get", "list", "watch", "update"]
875 - apiGroups: ["storage.k8s.io"]
876 resources: ["storageclasses"]
877 verbs: ["get", "list", "watch"]
879 resources: ["events"]
880 verbs: ["list", "watch", "create", "update", "patch"]
881 - apiGroups: ["snapshot.storage.k8s.io"]
882 resources: ["volumesnapshots"]
883 verbs: ["get", "list", "watch", "update"]
884 - apiGroups: ["snapshot.storage.k8s.io"]
885 resources: ["volumesnapshotcontents"]
886 verbs: ["create", "get", "list", "watch", "update", "delete"]
887 - apiGroups: ["snapshot.storage.k8s.io"]
888 resources: ["volumesnapshotclasses"]
889 verbs: ["get", "list", "watch"]
890 - apiGroups: ["snapshot.storage.k8s.io"]
891 resources: ["volumesnapshotcontents/status"]
893 - apiGroups: ["apiextensions.k8s.io"]
894 resources: ["customresourcedefinitions"]
895 verbs: ["create", "list", "watch", "delete", "get", "update"]
896 - apiGroups: ["snapshot.storage.k8s.io"]
897 resources: ["volumesnapshots/status"]
899 - apiGroups: ["storage.k8s.io"]
900 resources: ["volumeattachments"]
901 verbs: ["get", "list", "watch", "update", "patch"]
902 - apiGroups: ["storage.k8s.io"]
903 resources: ["volumeattachments/status"]
907 verbs: ["get", "list", "watch"]
909 resources: ["persistentvolumeclaims/status"]
910 verbs: ["update", "patch"]
911 # OLM: END CSI CEPHFS CLUSTER ROLE
912 # OLM: BEGIN CSI CEPHFS CLUSTER ROLEBINDING
914 apiVersion: rbac.authorization.k8s.io/v1
915 kind: ClusterRoleBinding
917 name: rook-csi-cephfs-plugin-sa-psp
919 apiGroup: rbac.authorization.k8s.io
923 - kind: ServiceAccount
924 name: rook-csi-cephfs-plugin-sa
925 namespace: "{{ rook_namespace }}" # namespace:operator
927 apiVersion: rbac.authorization.k8s.io/v1
928 kind: ClusterRoleBinding
930 name: rook-csi-cephfs-provisioner-sa-psp
932 apiGroup: rbac.authorization.k8s.io
936 - kind: ServiceAccount
937 name: rook-csi-cephfs-provisioner-sa
938 namespace: "{{ rook_namespace }}" # namespace:operator
940 kind: ClusterRoleBinding
941 apiVersion: rbac.authorization.k8s.io/v1
943 name: cephfs-csi-nodeplugin
945 - kind: ServiceAccount
946 name: rook-csi-cephfs-plugin-sa
947 namespace: "{{ rook_namespace }}" # namespace:operator
950 name: cephfs-csi-nodeplugin
951 apiGroup: rbac.authorization.k8s.io
954 kind: ClusterRoleBinding
955 apiVersion: rbac.authorization.k8s.io/v1
957 name: cephfs-csi-provisioner-role
959 - kind: ServiceAccount
960 name: rook-csi-cephfs-provisioner-sa
961 namespace: "{{ rook_namespace }}" # namespace:operator
964 name: cephfs-external-provisioner-runner
965 apiGroup: rbac.authorization.k8s.io
966 # OLM: END CSI CEPHFS CLUSTER ROLEBINDING
967 # OLM: BEGIN CSI RBD SERVICE ACCOUNT
972 name: rook-csi-rbd-plugin-sa
973 namespace: "{{ rook_namespace }}" # namespace:operator
978 name: rook-csi-rbd-provisioner-sa
979 namespace: "{{ rook_namespace }}" # namespace:operator
980 # OLM: END CSI RBD SERVICE ACCOUNT
981 # OLM: BEGIN CSI RBD ROLE
984 apiVersion: rbac.authorization.k8s.io/v1
986 name: rbd-external-provisioner-cfg
987 namespace: "{{ rook_namespace }}" # namespace:operator
990 resources: ["endpoints"]
991 verbs: ["get", "watch", "list", "delete", "update", "create"]
993 resources: ["configmaps"]
994 verbs: ["get", "list", "watch", "create", "delete", "update"]
995 - apiGroups: ["coordination.k8s.io"]
996 resources: ["leases"]
997 verbs: ["get", "watch", "list", "delete", "update", "create"]
998 # OLM: END CSI RBD ROLE
999 # OLM: BEGIN CSI RBD ROLEBINDING
1002 apiVersion: rbac.authorization.k8s.io/v1
1004 name: rbd-csi-provisioner-role-cfg
1005 namespace: "{{ rook_namespace }}" # namespace:operator
1007 - kind: ServiceAccount
1008 name: rook-csi-rbd-provisioner-sa
1009 namespace: "{{ rook_namespace }}" # namespace:operator
1012 name: rbd-external-provisioner-cfg
1013 apiGroup: rbac.authorization.k8s.io
1014 # OLM: END CSI RBD ROLEBINDING
1015 # OLM: BEGIN CSI RBD CLUSTER ROLE
1018 apiVersion: rbac.authorization.k8s.io/v1
1020 name: rbd-csi-nodeplugin
1023 resources: ["secrets"]
1024 verbs: ["get", "list"]
1026 resources: ["nodes"]
1027 verbs: ["get", "list", "update"]
1029 resources: ["namespaces"]
1030 verbs: ["get", "list"]
1032 resources: ["persistentvolumes"]
1033 verbs: ["get", "list", "watch", "update"]
1034 - apiGroups: ["storage.k8s.io"]
1035 resources: ["volumeattachments"]
1036 verbs: ["get", "list", "watch", "update"]
1038 resources: ["configmaps"]
1039 verbs: ["get", "list"]
1042 apiVersion: rbac.authorization.k8s.io/v1
1044 name: rbd-external-provisioner-runner
1047 resources: ["secrets"]
1048 verbs: ["get", "list", "watch"]
1050 resources: ["persistentvolumes"]
1051 verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
1053 resources: ["persistentvolumeclaims"]
1054 verbs: ["get", "list", "watch", "update"]
1055 - apiGroups: ["storage.k8s.io"]
1056 resources: ["volumeattachments"]
1057 verbs: ["get", "list", "watch", "update", "patch"]
1058 - apiGroups: ["storage.k8s.io"]
1059 resources: ["volumeattachments/status"]
1062 resources: ["nodes"]
1063 verbs: ["get", "list", "watch"]
1064 - apiGroups: ["storage.k8s.io"]
1065 resources: ["storageclasses"]
1066 verbs: ["get", "list", "watch"]
1068 resources: ["events"]
1069 verbs: ["list", "watch", "create", "update", "patch"]
1070 - apiGroups: ["snapshot.storage.k8s.io"]
1071 resources: ["volumesnapshots"]
1072 verbs: ["get", "list", "watch", "update"]
1073 - apiGroups: ["snapshot.storage.k8s.io"]
1074 resources: ["volumesnapshotcontents"]
1075 verbs: ["create", "get", "list", "watch", "update", "delete"]
1076 - apiGroups: ["snapshot.storage.k8s.io"]
1077 resources: ["volumesnapshotclasses"]
1078 verbs: ["get", "list", "watch"]
1079 - apiGroups: ["snapshot.storage.k8s.io"]
1080 resources: ["volumesnapshotcontents/status"]
1082 - apiGroups: ["apiextensions.k8s.io"]
1083 resources: ["customresourcedefinitions"]
1084 verbs: ["create", "list", "watch", "delete", "get", "update"]
1085 - apiGroups: ["snapshot.storage.k8s.io"]
1086 resources: ["volumesnapshots/status"]
1089 resources: ["persistentvolumeclaims/status"]
1090 verbs: ["update", "patch"]
1092 resources: ["configmaps"]
1094 # OLM: END CSI RBD CLUSTER ROLE
1095 # OLM: BEGIN CSI RBD CLUSTER ROLEBINDING
1097 apiVersion: rbac.authorization.k8s.io/v1
1098 kind: ClusterRoleBinding
1100 name: rook-csi-rbd-plugin-sa-psp
1102 apiGroup: rbac.authorization.k8s.io
1106 - kind: ServiceAccount
1107 name: rook-csi-rbd-plugin-sa
1108 namespace: "{{ rook_namespace }}" # namespace:operator
1110 apiVersion: rbac.authorization.k8s.io/v1
1111 kind: ClusterRoleBinding
1113 name: rook-csi-rbd-provisioner-sa-psp
1115 apiGroup: rbac.authorization.k8s.io
1119 - kind: ServiceAccount
1120 name: rook-csi-rbd-provisioner-sa
1121 namespace: "{{ rook_namespace }}" # namespace:operator
1123 kind: ClusterRoleBinding
1124 apiVersion: rbac.authorization.k8s.io/v1
1126 name: rbd-csi-nodeplugin
1128 - kind: ServiceAccount
1129 name: rook-csi-rbd-plugin-sa
1130 namespace: "{{ rook_namespace }}" # namespace:operator
1133 name: rbd-csi-nodeplugin
1134 apiGroup: rbac.authorization.k8s.io
1136 kind: ClusterRoleBinding
1137 apiVersion: rbac.authorization.k8s.io/v1
1139 name: rbd-csi-provisioner-role
1141 - kind: ServiceAccount
1142 name: rook-csi-rbd-provisioner-sa
1143 namespace: "{{ rook_namespace }}" # namespace:operator
1146 name: rbd-external-provisioner-runner
1147 apiGroup: rbac.authorization.k8s.io
1148 # OLM: END CSI RBD CLUSTER ROLEBINDING