926df0c8c4
The YAML Specification requires three daashes `---` as marker for the start of a content block. That means, each YAML file needs to start with `---` on the first line (or after initial comments). See-also: https://yaml.org/
39 lines
1.2 KiB
YAML
39 lines
1.2 KiB
YAML
# RBAC file for the snapshot webhook.
|
|
#
|
|
# The snapshot webhook implements the validation and admission for CSI snapshot functionality.
|
|
# It should be installed as part of the base Kubernetes distribution in an appropriate
|
|
# namespace for components implementing base system functionality. For installing with
|
|
# Vanilla Kubernetes, kube-system makes sense for the namespace.
|
|
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: snapshot-webhook
|
|
namespace: default # NOTE: change the namespace
|
|
---
|
|
kind: ClusterRole
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: snapshot-webhook-runner
|
|
rules:
|
|
- apiGroups: ["snapshot.storage.k8s.io"]
|
|
resources: ["volumesnapshotclasses"]
|
|
verbs: ["get", "list", "watch"]
|
|
- apiGroups: ["groupsnapshot.storage.k8s.io"]
|
|
resources: ["volumegroupsnapshotclasses"]
|
|
verbs: ["get", "list", "watch"]
|
|
---
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: snapshot-webhook-role
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: snapshot-webhook
|
|
namespace: default # NOTE: change the namespace
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: snapshot-webhook-runner
|
|
apiGroup: rbac.authorization.k8s.io
|