Adding webhook RBAC to enable validation of snapshotclasses

2022-05-10 16:30:51 -04:00
parent 3cf71378c2
commit 8ae62e79ff
3 changed files with 36 additions and 1 deletions
--- a/deploy/kubernetes/webhook-example/README.md
+++ b/deploy/kubernetes/webhook-example/README.md
@@ -56,7 +56,7 @@ These commands should be run from the top level directory.

 3. Change the namespace in the generated `admission-configuration.yaml` file. Change the namespace in the service and deployment in the `webhook.yaml` file.

-4. Create the deployment, service and admission configuration objects on the cluster.
+4. Create the deployment, service, RBAC, and admission configuration objects on the cluster.

    ```bash
    kubectl apply -f ./deploy/kubernetes/webhook-example
--- a/deploy/kubernetes/webhook-example/rbac-snapshot-webhook.yaml
+++ b/deploy/kubernetes/webhook-example/rbac-snapshot-webhook.yaml
@@ -0,0 +1,34 @@
+# RBAC file for the snapshot webhook.
+#
+# The snapshot webhook implements the validation and admission for CSI snapshot functionality.
+# It should be installed as part of the base Kubernetes distribution in an appropriate
+# namespace for components implementing base system functionality. For installing with
+# Vanilla Kubernetes, kube-system makes sense for the namespace.
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: snapshot-webhook
+  namespace: default # NOTE: change the namespace
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: snapshot-webhook-runner
+rules:
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshotclasses"]
+    verbs: ["get", "list", "watch"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: snapshot-webhook-role
+subjects:
+  - kind: ServiceAccount
+    name: snapshot-webhook
+    namespace: default # NOTE: change the namespace
+roleRef:
+  kind: ClusterRole
+  name: snapshot-webhook-runner
+  apiGroup: rbac.authorization.k8s.io
--- a/deploy/kubernetes/webhook-example/webhook.yaml
+++ b/deploy/kubernetes/webhook-example/webhook.yaml
@@ -15,6 +15,7 @@ spec:
      labels:
        app: snapshot-validation
    spec:
+      serviceAccountName: snapshot-webhook
      containers:
      - name: snapshot-validation
        image: k8s.gcr.io/sig-storage/snapshot-validation-webhook:v5.0.1 # change the image if you wish to use your own custom validation server image