1 ###################################################################################################################
2 # Create the common resources that are necessary to start the operator and the ceph cluster.
3 # These resources *must* be created before the operator.yaml and cluster.yaml or their variants.
4 # The samples all assume that a single operator will manage a single cluster crd in the same "rook-ceph" namespace.
6 # If the operator needs to manage multiple clusters (in different namespaces), see the section below
7 # for "cluster-specific resources". The resources below that section will need to be created for each namespace
8 # where the operator needs to manage the cluster. The resources above that section do not be created again.
10 # Most of the sections are prefixed with a 'OLM' keyword which is used to build our CSV for an OLM (Operator Life Cycle manager)
11 ###################################################################################################################
13 # Namespace where the operator and other rook resources are created
17 name: "{{ rook_namespace }}"
19 # The CRD declarations
21 apiVersion: apiextensions.k8s.io/v1beta1
22 kind: CustomResourceDefinition
24 name: cephclusters.ceph.rook.io
29 listKind: CephClusterList
90 osdMaintenanceTimeout:
92 manageMachineDisruptionBudgets:
107 pattern: ^(filestore|bluestore)$
118 pattern: ^(true|false)$
163 additionalPrinterColumns:
164 - name: DataDirHostPath
166 description: Directory used on the K8s nodes
167 JSONPath: .spec.dataDirHostPath
170 description: Number of MONs
171 JSONPath: .spec.mon.count
174 JSONPath: .metadata.creationTimestamp
177 description: Current State
178 JSONPath: .status.state
181 description: Ceph Health
182 JSONPath: .status.ceph.health
184 # OLM: BEGIN CEPH FS CRD
186 apiVersion: apiextensions.k8s.io/v1beta1
187 kind: CustomResourceDefinition
189 name: cephfilesystems.ceph.rook.io
194 listKind: CephFilesystemList
195 plural: cephfilesystems
196 singular: cephfilesystem
249 additionalPrinterColumns:
252 description: Number of desired active MDS daemons
253 JSONPath: .spec.metadataServer.activeCount
256 JSONPath: .metadata.creationTimestamp
257 # OLM: END CEPH FS CRD
258 # OLM: BEGIN CEPH NFS CRD
260 apiVersion: apiextensions.k8s.io/v1beta1
261 kind: CustomResourceDefinition
263 name: cephnfses.ceph.rook.io
268 listKind: CephNFSList
294 # OLM: END CEPH NFS CRD
295 # OLM: BEGIN CEPH OBJECT STORE CRD
297 apiVersion: apiextensions.k8s.io/v1beta1
298 kind: CustomResourceDefinition
300 name: cephobjectstores.ceph.rook.io
304 kind: CephObjectStore
305 listKind: CephObjectStoreList
306 plural: cephobjectstores
307 singular: cephobjectstore
319 sslCertificateRef: {}
356 # OLM: END CEPH OBJECT STORE CRD
357 # OLM: BEGIN CEPH OBJECT STORE USERS CRD
359 apiVersion: apiextensions.k8s.io/v1beta1
360 kind: CustomResourceDefinition
362 name: cephobjectstoreusers.ceph.rook.io
366 kind: CephObjectStoreUser
367 listKind: CephObjectStoreUserList
368 plural: cephobjectstoreusers
369 singular: cephobjectstoreuser
372 # OLM: END CEPH OBJECT STORE USERS CRD
373 # OLM: BEGIN CEPH BLOCK POOL CRD
375 apiVersion: apiextensions.k8s.io/v1beta1
376 kind: CustomResourceDefinition
378 name: cephblockpools.ceph.rook.io
383 listKind: CephBlockPoolList
384 plural: cephblockpools
385 singular: cephblockpool
388 # OLM: END CEPH BLOCK POOL CRD
389 # OLM: BEGIN CEPH VOLUME POOL CRD
391 apiVersion: apiextensions.k8s.io/v1beta1
392 kind: CustomResourceDefinition
394 name: volumes.rook.io
406 # OLM: END CEPH VOLUME POOL CRD
407 # OLM: BEGIN OBJECTBUCKET CRD
409 apiVersion: apiextensions.k8s.io/v1beta1
410 kind: CustomResourceDefinition
412 name: objectbuckets.objectbucket.io
414 group: objectbucket.io
421 listKind: ObjectBucketList
422 plural: objectbuckets
423 singular: objectbucket
430 # OLM: END OBJECTBUCKET CRD
431 # OLM: BEGIN OBJECTBUCKETCLAIM CRD
433 apiVersion: apiextensions.k8s.io/v1beta1
434 kind: CustomResourceDefinition
436 name: objectbucketclaims.objectbucket.io
442 group: objectbucket.io
444 kind: ObjectBucketClaim
445 listKind: ObjectBucketClaimList
446 plural: objectbucketclaims
447 singular: objectbucketclaim
454 # OLM: END OBJECTBUCKETCLAIM CRD
455 # OLM: BEGIN OBJECTBUCKET ROLEBINDING
457 kind: ClusterRoleBinding
458 apiVersion: rbac.authorization.k8s.io/v1beta1
460 name: rook-ceph-object-bucket
462 apiGroup: rbac.authorization.k8s.io
464 name: rook-ceph-object-bucket
466 - kind: ServiceAccount
467 name: rook-ceph-system
468 namespace: "{{ rook_namespace }}"
469 # OLM: END OBJECTBUCKET ROLEBINDING
470 # OLM: BEGIN OPERATOR ROLE
472 # The cluster role for managing all the cluster-specific resources in a namespace
473 apiVersion: rbac.authorization.k8s.io/v1beta1
476 name: rook-ceph-cluster-mgmt
479 storage-backend: ceph
481 clusterRoleSelectors:
483 rbac.ceph.rook.io/aggregate-to-rook-ceph-cluster-mgmt: "true"
486 apiVersion: rbac.authorization.k8s.io/v1beta1
489 name: rook-ceph-cluster-mgmt-rules
492 storage-backend: ceph
493 rbac.ceph.rook.io/aggregate-to-rook-ceph-cluster-mgmt: "true"
524 # The role for the operator to manage resources in its own namespace
525 apiVersion: rbac.authorization.k8s.io/v1beta1
528 name: rook-ceph-system
529 namespace: "{{ rook_namespace }}"
532 storage-backend: ceph
562 # The cluster role for managing the Rook CRDs
563 apiVersion: rbac.authorization.k8s.io/v1beta1
566 name: rook-ceph-global
569 storage-backend: ceph
571 clusterRoleSelectors:
573 rbac.ceph.rook.io/aggregate-to-rook-ceph-global: "true"
576 apiVersion: rbac.authorization.k8s.io/v1beta1
579 name: rook-ceph-global-rules
582 storage-backend: ceph
583 rbac.ceph.rook.io/aggregate-to-rook-ceph-global: "true"
588 # Pod access is needed for fencing
590 # Node access is needed for determining nodes where mons should run
601 # PVs and PVCs are managed by the Rook provisioner
603 - persistentvolumeclaims
648 #this is for the clusterdisruption controller
649 - poddisruptionbudgets
650 #this is for both clusterdisruption and nodedrain controllers
655 - healthchecking.openshift.io
657 - machinedisruptionbudgets
666 - machine.openshift.io
677 # Aspects of ceph-mgr that require cluster-wide access
679 apiVersion: rbac.authorization.k8s.io/v1beta1
681 name: rook-ceph-mgr-cluster
684 storage-backend: ceph
686 clusterRoleSelectors:
688 rbac.ceph.rook.io/aggregate-to-rook-ceph-mgr-cluster: "true"
692 apiVersion: rbac.authorization.k8s.io/v1beta1
694 name: rook-ceph-mgr-cluster-rules
697 storage-backend: ceph
698 rbac.ceph.rook.io/aggregate-to-rook-ceph-mgr-cluster: "true"
722 apiVersion: rbac.authorization.k8s.io/v1beta1
724 name: rook-ceph-object-bucket
727 storage-backend: ceph
728 rbac.ceph.rook.io/aggregate-to-rook-ceph-mgr-cluster: "true"
751 # OLM: END OPERATOR ROLE
752 # OLM: BEGIN SERVICE ACCOUNT SYSTEM
754 # The rook system service account used by the operator, agent, and discovery pods
758 name: rook-ceph-system
759 namespace: "{{ rook_namespace }}"
762 storage-backend: ceph
764 # - name: my-registry-secret
766 # OLM: END SERVICE ACCOUNT SYSTEM
767 # OLM: BEGIN OPERATOR ROLEBINDING
769 # Grant the operator, agent, and discovery agents access to resources in the namespace
771 apiVersion: rbac.authorization.k8s.io/v1beta1
773 name: rook-ceph-system
774 namespace: "{{ rook_namespace }}"
777 storage-backend: ceph
779 apiGroup: rbac.authorization.k8s.io
781 name: rook-ceph-system
783 - kind: ServiceAccount
784 name: rook-ceph-system
785 namespace: "{{ rook_namespace }}"
787 # Grant the rook system daemons cluster-wide access to manage the Rook CRDs, PVCs, and storage classes
788 kind: ClusterRoleBinding
789 apiVersion: rbac.authorization.k8s.io/v1beta1
791 name: rook-ceph-global
792 namespace: "{{ rook_namespace }}"
795 storage-backend: ceph
797 apiGroup: rbac.authorization.k8s.io
799 name: rook-ceph-global
801 - kind: ServiceAccount
802 name: rook-ceph-system
803 namespace: "{{ rook_namespace }}"
804 # OLM: END OPERATOR ROLEBINDING
805 #################################################################################################################
806 # Beginning of cluster-specific resources. The example will assume the cluster will be created in the "rook-ceph"
807 # namespace. If you want to create the cluster in a different namespace, you will need to modify these roles
808 # and bindings accordingly.
809 #################################################################################################################
810 # Service account for the Ceph OSDs. Must exist and cannot be renamed.
811 # OLM: BEGIN SERVICE ACCOUNT OSD
817 namespace: "{{ rook_namespace }}"
819 # - name: my-registry-secret
821 # OLM: END SERVICE ACCOUNT OSD
822 # OLM: BEGIN SERVICE ACCOUNT MGR
824 # Service account for the Ceph Mgr. Must exist and cannot be renamed.
829 namespace: "{{ rook_namespace }}"
831 # - name: my-registry-secret
833 # OLM: END SERVICE ACCOUNT MGR
834 # OLM: BEGIN CMD REPORTER SERVICE ACCOUNT
839 name: rook-ceph-cmd-reporter
840 namespace: "{{ rook_namespace }}"
841 # OLM: END CMD REPORTER SERVICE ACCOUNT
842 # OLM: BEGIN CLUSTER ROLE
845 apiVersion: rbac.authorization.k8s.io/v1beta1
848 namespace: "{{ rook_namespace }}"
851 resources: ["configmaps"]
852 verbs: [ "get", "list", "watch", "create", "update", "delete" ]
853 - apiGroups: ["ceph.rook.io"]
854 resources: ["cephclusters", "cephclusters/finalizers"]
855 verbs: [ "get", "list", "create", "update", "delete" ]
858 apiVersion: rbac.authorization.k8s.io/v1beta1
861 namespace: "{{ rook_namespace }}"
871 # Aspects of ceph-mgr that require access to the system namespace
873 apiVersion: rbac.authorization.k8s.io/v1beta1
875 name: rook-ceph-mgr-system
876 namespace: "{{ rook_namespace }}"
878 clusterRoleSelectors:
880 rbac.ceph.rook.io/aggregate-to-rook-ceph-mgr-system: "true"
884 apiVersion: rbac.authorization.k8s.io/v1beta1
886 name: rook-ceph-mgr-system-rules
887 namespace: "{{ rook_namespace }}"
889 rbac.ceph.rook.io/aggregate-to-rook-ceph-mgr-system: "true"
900 # Aspects of ceph-mgr that operate within the cluster's namespace
902 apiVersion: rbac.authorization.k8s.io/v1beta1
905 namespace: "{{ rook_namespace }}"
933 # OLM: END CLUSTER ROLE
934 # OLM: BEGIN CMD REPORTER ROLE
937 apiVersion: rbac.authorization.k8s.io/v1beta1
939 name: rook-ceph-cmd-reporter
940 namespace: "{{ rook_namespace }}"
954 # OLM: END CMD REPORTER ROLE
955 # OLM: BEGIN CLUSTER ROLEBINDING
957 # Allow the operator to create resources in this cluster's namespace
959 apiVersion: rbac.authorization.k8s.io/v1beta1
961 name: rook-ceph-cluster-mgmt
962 namespace: "{{ rook_namespace }}"
964 apiGroup: rbac.authorization.k8s.io
966 name: rook-ceph-cluster-mgmt
968 - kind: ServiceAccount
969 name: rook-ceph-system
970 namespace: "{{ rook_namespace }}"
972 # Allow the osd pods in this namespace to work with configmaps
974 apiVersion: rbac.authorization.k8s.io/v1beta1
977 namespace: "{{ rook_namespace }}"
979 apiGroup: rbac.authorization.k8s.io
983 - kind: ServiceAccount
985 namespace: "{{ rook_namespace }}"
987 # Allow the ceph mgr to access the cluster-specific resources necessary for the mgr modules
989 apiVersion: rbac.authorization.k8s.io/v1beta1
992 namespace: "{{ rook_namespace }}"
994 apiGroup: rbac.authorization.k8s.io
998 - kind: ServiceAccount
1000 namespace: "{{ rook_namespace }}"
1002 # Allow the ceph mgr to access the rook system resources necessary for the mgr modules
1004 apiVersion: rbac.authorization.k8s.io/v1beta1
1006 name: rook-ceph-mgr-system
1007 namespace: "{{ rook_namespace }}"
1009 apiGroup: rbac.authorization.k8s.io
1011 name: rook-ceph-mgr-system
1013 - kind: ServiceAccount
1015 namespace: "{{ rook_namespace }}"
1017 # Allow the ceph mgr to access cluster-wide resources necessary for the mgr modules
1018 kind: ClusterRoleBinding
1019 apiVersion: rbac.authorization.k8s.io/v1beta1
1021 name: rook-ceph-mgr-cluster
1023 apiGroup: rbac.authorization.k8s.io
1025 name: rook-ceph-mgr-cluster
1027 - kind: ServiceAccount
1029 namespace: "{{ rook_namespace }}"
1032 # Allow the ceph osd to access cluster-wide resources necessary for determining their topology location
1033 kind: ClusterRoleBinding
1034 apiVersion: rbac.authorization.k8s.io/v1beta1
1038 apiGroup: rbac.authorization.k8s.io
1042 - kind: ServiceAccount
1044 namespace: "{{ rook_namespace }}"
1046 # OLM: END CLUSTER ROLEBINDING
1047 # OLM: BEGIN CMD REPORTER ROLEBINDING
1050 apiVersion: rbac.authorization.k8s.io/v1beta1
1052 name: rook-ceph-cmd-reporter
1053 namespace: "{{ rook_namespace }}"
1055 apiGroup: rbac.authorization.k8s.io
1057 name: rook-ceph-cmd-reporter
1059 - kind: ServiceAccount
1060 name: rook-ceph-cmd-reporter
1061 namespace: "{{ rook_namespace }}"
1062 # OLM: END CMD REPORTER ROLEBINDING
1063 #################################################################################################################
1064 # Beginning of pod security policy resources. The example will assume the cluster will be created in the
1065 # "rook-ceph" namespace. If you want to create the cluster in a different namespace, you will need to modify
1066 # the roles and bindings accordingly.
1067 #################################################################################################################
1068 # OLM: BEGIN CLUSTER POD SECURITY POLICY
1070 apiVersion: policy/v1beta1
1071 kind: PodSecurityPolicy
1073 name: rook-privileged
1076 allowedCapabilities:
1079 # fsGroup - the flexVolume agent has fsGroup capabilities and could potentially be any group
1082 # runAsUser, supplementalGroups - Rook needs to run some pods as root
1083 # Ceph pods could be run as the Ceph user, but that user isn't always known ahead of time
1088 # seLinux - seLinux context is unknown ahead of time; set if this is well-known
1092 # recommended minimum set
1096 - persistentVolumeClaim
1102 # allowedHostPaths can be set to Rook's known host volume mount points when they are fully-known
1103 # directory-based OSDs make this hard to nail down
1105 # - pathPrefix: "/run/udev" # for OSD prep
1107 # - pathPrefix: "/dev" # for OSD prep
1109 # - pathPrefix: "/var/lib/rook" # or whatever the dataDirHostPath value is set to
1111 # Ceph requires host IPC for setting up encrypted devices
1113 # Ceph OSDs need to share the same PID namespace
1115 # hostNetwork can be set to 'false' if host networking isn't used
1118 # Ceph messenger protocol v1
1120 max: 6790 # <- support old default port
1121 # Ceph messenger protocol v2
1124 # Ceph RADOS ports for OSDs, MDSes
1127 # # Ceph dashboard port HTTP (not recommended)
1130 # Ceph dashboard port HTTPS
1133 # Ceph mgr Prometheus Metrics
1136 # OLM: END CLUSTER POD SECURITY POLICY
1137 # OLM: BEGIN POD SECURITY POLICY BINDINGS
1139 apiVersion: rbac.authorization.k8s.io/v1
1147 - podsecuritypolicies
1153 apiVersion: rbac.authorization.k8s.io/v1
1154 kind: ClusterRoleBinding
1156 name: rook-ceph-system-psp
1158 apiGroup: rbac.authorization.k8s.io
1162 - kind: ServiceAccount
1163 name: rook-ceph-system
1164 namespace: "{{ rook_namespace }}"
1166 apiVersion: rbac.authorization.k8s.io/v1
1169 name: rook-ceph-default-psp
1170 namespace: "{{ rook_namespace }}"
1172 apiGroup: rbac.authorization.k8s.io
1176 - kind: ServiceAccount
1178 namespace: "{{ rook_namespace }}"
1180 apiVersion: rbac.authorization.k8s.io/v1
1183 name: rook-ceph-osd-psp
1184 namespace: "{{ rook_namespace }}"
1186 apiGroup: rbac.authorization.k8s.io
1190 - kind: ServiceAccount
1192 namespace: "{{ rook_namespace }}"
1194 apiVersion: rbac.authorization.k8s.io/v1
1197 name: rook-ceph-mgr-psp
1198 namespace: "{{ rook_namespace }}"
1200 apiGroup: rbac.authorization.k8s.io
1204 - kind: ServiceAccount
1206 namespace: "{{ rook_namespace }}"
1208 apiVersion: rbac.authorization.k8s.io/v1
1211 name: rook-ceph-cmd-reporter-psp
1212 namespace: "{{ rook_namespace }}"
1214 apiGroup: rbac.authorization.k8s.io
1218 - kind: ServiceAccount
1219 name: rook-ceph-cmd-reporter
1220 namespace: "{{ rook_namespace }}"
1221 # OLM: END CLUSTER POD SECURITY POLICY BINDINGS
1222 # OLM: BEGIN CSI CEPHFS SERVICE ACCOUNT
1225 kind: ServiceAccount
1227 name: rook-csi-cephfs-plugin-sa
1228 namespace: "{{ rook_namespace }}"
1231 kind: ServiceAccount
1233 name: rook-csi-cephfs-provisioner-sa
1234 namespace: "{{ rook_namespace }}"
1235 # OLM: END CSI CEPHFS SERVICE ACCOUNT
1236 # OLM: BEGIN CSI CEPHFS ROLE
1239 apiVersion: rbac.authorization.k8s.io/v1
1241 namespace: "{{ rook_namespace }}"
1242 name: cephfs-external-provisioner-cfg
1245 resources: ["endpoints"]
1246 verbs: ["get", "watch", "list", "delete", "update", "create"]
1248 resources: ["configmaps"]
1249 verbs: ["get", "list", "create", "delete"]
1250 - apiGroups: ["coordination.k8s.io"]
1251 resources: ["leases"]
1252 verbs: ["get", "watch", "list", "delete", "update", "create"]
1253 # OLM: END CSI CEPHFS ROLE
1254 # OLM: BEGIN CSI CEPHFS ROLEBINDING
1257 apiVersion: rbac.authorization.k8s.io/v1
1259 name: cephfs-csi-provisioner-role-cfg
1260 namespace: "{{ rook_namespace }}"
1262 - kind: ServiceAccount
1263 name: rook-csi-cephfs-provisioner-sa
1264 namespace: "{{ rook_namespace }}"
1267 name: cephfs-external-provisioner-cfg
1268 apiGroup: rbac.authorization.k8s.io
1269 # OLM: END CSI CEPHFS ROLEBINDING
1270 # OLM: BEGIN CSI CEPHFS CLUSTER ROLE
1273 apiVersion: rbac.authorization.k8s.io/v1
1275 name: cephfs-csi-nodeplugin
1277 clusterRoleSelectors:
1279 rbac.ceph.rook.io/aggregate-to-cephfs-csi-nodeplugin: "true"
1283 apiVersion: rbac.authorization.k8s.io/v1
1285 name: cephfs-csi-nodeplugin-rules
1287 rbac.ceph.rook.io/aggregate-to-cephfs-csi-nodeplugin: "true"
1290 resources: ["nodes"]
1291 verbs: ["get", "list", "update"]
1293 resources: ["namespaces"]
1294 verbs: ["get", "list"]
1296 resources: ["persistentvolumes"]
1297 verbs: ["get", "list", "watch", "update"]
1298 - apiGroups: ["storage.k8s.io"]
1299 resources: ["volumeattachments"]
1300 verbs: ["get", "list", "watch", "update"]
1302 resources: ["configmaps"]
1303 verbs: ["get", "list"]
1306 apiVersion: rbac.authorization.k8s.io/v1
1308 name: cephfs-external-provisioner-runner
1310 clusterRoleSelectors:
1312 rbac.ceph.rook.io/aggregate-to-cephfs-external-provisioner-runner: "true"
1316 apiVersion: rbac.authorization.k8s.io/v1
1318 name: cephfs-external-provisioner-runner-rules
1320 rbac.ceph.rook.io/aggregate-to-cephfs-external-provisioner-runner: "true"
1323 resources: ["secrets"]
1324 verbs: ["get", "list"]
1326 resources: ["persistentvolumes"]
1327 verbs: ["get", "list", "watch", "create", "delete", "update"]
1329 resources: ["persistentvolumeclaims"]
1330 verbs: ["get", "list", "watch", "update"]
1331 - apiGroups: ["storage.k8s.io"]
1332 resources: ["storageclasses"]
1333 verbs: ["get", "list", "watch"]
1335 resources: ["events"]
1336 verbs: ["list", "watch", "create", "update", "patch"]
1337 - apiGroups: ["storage.k8s.io"]
1338 resources: ["volumeattachments"]
1339 verbs: ["get", "list", "watch", "update"]
1341 resources: ["nodes"]
1342 verbs: ["get", "list", "watch"]
1343 # OLM: END CSI CEPHFS CLUSTER ROLE
1344 # OLM: BEGIN CSI CEPHFS CLUSTER ROLEBINDING
1346 apiVersion: rbac.authorization.k8s.io/v1
1347 kind: ClusterRoleBinding
1349 name: rook-csi-cephfs-plugin-sa-psp
1351 apiGroup: rbac.authorization.k8s.io
1355 - kind: ServiceAccount
1356 name: rook-csi-cephfs-plugin-sa
1357 namespace: "{{ rook_namespace }}"
1359 apiVersion: rbac.authorization.k8s.io/v1
1360 kind: ClusterRoleBinding
1362 name: rook-csi-cephfs-provisioner-sa-psp
1364 apiGroup: rbac.authorization.k8s.io
1368 - kind: ServiceAccount
1369 name: rook-csi-cephfs-provisioner-sa
1370 namespace: "{{ rook_namespace }}"
1372 kind: ClusterRoleBinding
1373 apiVersion: rbac.authorization.k8s.io/v1
1375 name: cephfs-csi-nodeplugin
1377 - kind: ServiceAccount
1378 name: rook-csi-cephfs-plugin-sa
1379 namespace: "{{ rook_namespace }}"
1382 name: cephfs-csi-nodeplugin
1383 apiGroup: rbac.authorization.k8s.io
1386 kind: ClusterRoleBinding
1387 apiVersion: rbac.authorization.k8s.io/v1
1389 name: cephfs-csi-provisioner-role
1391 - kind: ServiceAccount
1392 name: rook-csi-cephfs-provisioner-sa
1393 namespace: "{{ rook_namespace }}"
1396 name: cephfs-external-provisioner-runner
1397 apiGroup: rbac.authorization.k8s.io
1398 # OLM: END CSI CEPHFS CLUSTER ROLEBINDING
1399 # OLM: BEGIN CSI RBD SERVICE ACCOUNT
1402 kind: ServiceAccount
1404 name: rook-csi-rbd-plugin-sa
1405 namespace: "{{ rook_namespace }}"
1408 kind: ServiceAccount
1410 name: rook-csi-rbd-provisioner-sa
1411 namespace: "{{ rook_namespace }}"
1412 # OLM: END CSI RBD SERVICE ACCOUNT
1413 # OLM: BEGIN CSI RBD ROLE
1416 apiVersion: rbac.authorization.k8s.io/v1
1418 namespace: "{{ rook_namespace }}"
1419 name: rbd-external-provisioner-cfg
1422 resources: ["endpoints"]
1423 verbs: ["get", "watch", "list", "delete", "update", "create"]
1425 resources: ["configmaps"]
1426 verbs: ["get", "list", "watch", "create", "delete"]
1427 - apiGroups: ["coordination.k8s.io"]
1428 resources: ["leases"]
1429 verbs: ["get", "watch", "list", "delete", "update", "create"]
1430 # OLM: END CSI RBD ROLE
1431 # OLM: BEGIN CSI RBD ROLEBINDING
1434 apiVersion: rbac.authorization.k8s.io/v1
1436 name: rbd-csi-provisioner-role-cfg
1437 namespace: "{{ rook_namespace }}"
1439 - kind: ServiceAccount
1440 name: rook-csi-rbd-provisioner-sa
1441 namespace: "{{ rook_namespace }}"
1444 name: rbd-external-provisioner-cfg
1445 apiGroup: rbac.authorization.k8s.io
1446 # OLM: END CSI RBD ROLEBINDING
1447 # OLM: BEGIN CSI RBD CLUSTER ROLE
1450 apiVersion: rbac.authorization.k8s.io/v1
1452 name: rbd-csi-nodeplugin
1454 clusterRoleSelectors:
1456 rbac.ceph.rook.io/aggregate-to-rbd-csi-nodeplugin: "true"
1460 apiVersion: rbac.authorization.k8s.io/v1
1462 name: rbd-csi-nodeplugin-rules
1464 rbac.ceph.rook.io/aggregate-to-rbd-csi-nodeplugin: "true"
1467 resources: ["secrets"]
1468 verbs: ["get", "list"]
1470 resources: ["nodes"]
1471 verbs: ["get", "list", "update"]
1473 resources: ["namespaces"]
1474 verbs: ["get", "list"]
1476 resources: ["persistentvolumes"]
1477 verbs: ["get", "list", "watch", "update"]
1478 - apiGroups: ["storage.k8s.io"]
1479 resources: ["volumeattachments"]
1480 verbs: ["get", "list", "watch", "update"]
1482 resources: ["configmaps"]
1483 verbs: ["get", "list"]
1486 apiVersion: rbac.authorization.k8s.io/v1
1488 name: rbd-external-provisioner-runner
1490 clusterRoleSelectors:
1492 rbac.ceph.rook.io/aggregate-to-rbd-external-provisioner-runner: "true"
1496 apiVersion: rbac.authorization.k8s.io/v1
1498 name: rbd-external-provisioner-runner-rules
1500 rbac.ceph.rook.io/aggregate-to-rbd-external-provisioner-runner: "true"
1503 resources: ["secrets"]
1504 verbs: ["get", "list"]
1506 resources: ["persistentvolumes"]
1507 verbs: ["get", "list", "watch", "create", "delete", "update"]
1509 resources: ["persistentvolumeclaims"]
1510 verbs: ["get", "list", "watch", "update"]
1511 - apiGroups: ["storage.k8s.io"]
1512 resources: ["volumeattachments"]
1513 verbs: ["get", "list", "watch", "update"]
1515 resources: ["nodes"]
1516 verbs: ["get", "list", "watch"]
1517 - apiGroups: ["storage.k8s.io"]
1518 resources: ["storageclasses"]
1519 verbs: ["get", "list", "watch"]
1521 resources: ["events"]
1522 verbs: ["list", "watch", "create", "update", "patch"]
1523 - apiGroups: ["snapshot.storage.k8s.io"]
1524 resources: ["volumesnapshots"]
1525 verbs: ["get", "list", "watch", "update"]
1526 - apiGroups: ["snapshot.storage.k8s.io"]
1527 resources: ["volumesnapshotcontents"]
1528 verbs: ["create", "get", "list", "watch", "update", "delete"]
1529 - apiGroups: ["snapshot.storage.k8s.io"]
1530 resources: ["volumesnapshotclasses"]
1531 verbs: ["get", "list", "watch"]
1532 - apiGroups: ["apiextensions.k8s.io"]
1533 resources: ["customresourcedefinitions"]
1534 verbs: ["create", "list", "watch", "delete", "get", "update"]
1535 - apiGroups: ["snapshot.storage.k8s.io"]
1536 resources: ["volumesnapshots/status"]
1538 # OLM: END CSI RBD CLUSTER ROLE
1539 # OLM: BEGIN CSI RBD CLUSTER ROLEBINDING
1541 apiVersion: rbac.authorization.k8s.io/v1
1542 kind: ClusterRoleBinding
1544 name: rook-csi-rbd-plugin-sa-psp
1546 apiGroup: rbac.authorization.k8s.io
1550 - kind: ServiceAccount
1551 name: rook-csi-rbd-plugin-sa
1552 namespace: "{{ rook_namespace }}"
1554 apiVersion: rbac.authorization.k8s.io/v1
1555 kind: ClusterRoleBinding
1557 name: rook-csi-rbd-provisioner-sa-psp
1559 apiGroup: rbac.authorization.k8s.io
1563 - kind: ServiceAccount
1564 name: rook-csi-rbd-provisioner-sa
1565 namespace: "{{ rook_namespace }}"
1567 kind: ClusterRoleBinding
1568 apiVersion: rbac.authorization.k8s.io/v1
1570 name: rbd-csi-nodeplugin
1572 - kind: ServiceAccount
1573 name: rook-csi-rbd-plugin-sa
1574 namespace: "{{ rook_namespace }}"
1577 name: rbd-csi-nodeplugin
1578 apiGroup: rbac.authorization.k8s.io
1580 kind: ClusterRoleBinding
1581 apiVersion: rbac.authorization.k8s.io/v1
1583 name: rbd-csi-provisioner-role
1585 - kind: ServiceAccount
1586 name: rook-csi-rbd-provisioner-sa
1587 namespace: "{{ rook_namespace }}"
1590 name: rbd-external-provisioner-runner
1591 apiGroup: rbac.authorization.k8s.io
1592 # OLM: END CSI RBD CLUSTER ROLEBINDING