diff --git a/deploy/kubernetes/webhook-example/README.md b/deploy/kubernetes/webhook-example/README.md index d9ea7762..21b35bc0 100644 --- a/deploy/kubernetes/webhook-example/README.md +++ b/deploy/kubernetes/webhook-example/README.md @@ -56,7 +56,7 @@ These commands should be run from the top level directory. 3. Change the namespace in the generated `admission-configuration.yaml` file. Change the namespace in the service and deployment in the `webhook.yaml` file. -4. Create the deployment, service and admission configuration objects on the cluster. +4. Create the deployment, service, RBAC, and admission configuration objects on the cluster. ```bash kubectl apply -f ./deploy/kubernetes/webhook-example diff --git a/deploy/kubernetes/webhook-example/rbac-snapshot-webhook.yaml b/deploy/kubernetes/webhook-example/rbac-snapshot-webhook.yaml new file mode 100644 index 00000000..e2d69843 --- /dev/null +++ b/deploy/kubernetes/webhook-example/rbac-snapshot-webhook.yaml @@ -0,0 +1,34 @@ +# RBAC file for the snapshot webhook. +# +# The snapshot webhook implements the validation and admission for CSI snapshot functionality. +# It should be installed as part of the base Kubernetes distribution in an appropriate +# namespace for components implementing base system functionality. For installing with +# Vanilla Kubernetes, kube-system makes sense for the namespace. + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: snapshot-webhook + namespace: default # NOTE: change the namespace +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: snapshot-webhook-runner +rules: + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: snapshot-webhook-role +subjects: + - kind: ServiceAccount + name: snapshot-webhook + namespace: default # NOTE: change the namespace +roleRef: + kind: ClusterRole + name: snapshot-webhook-runner + apiGroup: rbac.authorization.k8s.io diff --git a/deploy/kubernetes/webhook-example/webhook.yaml b/deploy/kubernetes/webhook-example/webhook.yaml index 0a179cdd..d48f2ce6 100644 --- a/deploy/kubernetes/webhook-example/webhook.yaml +++ b/deploy/kubernetes/webhook-example/webhook.yaml @@ -15,6 +15,7 @@ spec: labels: app: snapshot-validation spec: + serviceAccountName: snapshot-webhook containers: - name: snapshot-validation image: k8s.gcr.io/sig-storage/snapshot-validation-webhook:v5.0.1 # change the image if you wish to use your own custom validation server image