---
# Source: rook-ceph/charts/rook-ceph/templates/clusterrole.yaml
# Used for provisioning ObjectBuckets (OBs) in response to ObjectBucketClaims (OBCs).
# Note: Rook runs a copy of the lib-bucket-provisioner's OBC controller.
# OBCs can be created in any Kubernetes namespace, so this must be a cluster-scoped role.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: rook-ceph-object-bucket
  labels:
    operator: rook
    storage-backend: ceph
    app.kubernetes.io/name: rook-ceph
    app.kubernetes.io/instance: rook-ceph
    app.kubernetes.io/version: v1.18.8
    app.kubernetes.io/part-of: rook-ceph-operator
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/created-by: helm
    helm.sh/chart: "rook-ceph-v1.18.8"
rules:
  - apiGroups: [""]
    resources: ["secrets", "configmaps"]
    verbs:
      # OBC controller creates secrets and configmaps containing information for users about how to
      # connect to object buckets. It deletes them when an OBC is deleted.
      - get
      - create
      - update
      - delete
  - apiGroups: ["storage.k8s.io"]
    resources: ["storageclasses"]
    verbs:
      # OBC controller gets parameters from the OBC's storageclass
      # Rook gets additional parameters from the OBC's storageclass
      - get
  - apiGroups: ["objectbucket.io"]
    resources: ["objectbucketclaims"]
    verbs:
      # OBC controller needs to list/watch OBCs and get latest version of a reconciled OBC
      - list
      - watch
      - get
      # Ideally, update should not be needed, but the OBC controller updates the OBC with bucket
      # information outside of the status subresource
      - update
      # OBC controller does not delete OBCs; users do this
  - apiGroups: ["objectbucket.io"]
    resources: ["objectbuckets"]
    verbs:
      # OBC controller needs to list/watch OBs and get latest version of a reconciled OB
      - list
      - watch
      - get
      # OBC controller creates an OB when an OBC's bucket has been provisioned by Ceph, updates them
      # when an OBC is updated, and deletes them when the OBC is de-provisioned.
      - create
      - update
      - delete
  - apiGroups: ["objectbucket.io"]
    resources: ["objectbucketclaims/status", "objectbuckets/status"]
    verbs:
      # OBC controller updates OBC and OB statuses
      - update
  - apiGroups: ["objectbucket.io"]
    # This does not strictly allow the OBC/OB controllers to update finalizers. That is handled by
    # the direct "update" permissions above. Instead, this allows Rook's controller to create
    # resources which are owned by OBs/OBCs and where blockOwnerDeletion is set.
    resources: ["objectbucketclaims/finalizers", "objectbuckets/finalizers"]
    verbs:
      - update