71 lines
2.7 KiB
YAML
71 lines
2.7 KiB
YAML
---
|
|
# Source: rook-ceph/charts/rook-ceph/templates/clusterrole.yaml
|
|
# Used for provisioning ObjectBuckets (OBs) in response to ObjectBucketClaims (OBCs).
|
|
# Note: Rook runs a copy of the lib-bucket-provisioner's OBC controller.
|
|
# OBCs can be created in any Kubernetes namespace, so this must be a cluster-scoped role.
|
|
kind: ClusterRole
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: rook-ceph-object-bucket
|
|
labels:
|
|
operator: rook
|
|
storage-backend: ceph
|
|
app.kubernetes.io/name: rook-ceph
|
|
app.kubernetes.io/instance: rook-ceph
|
|
app.kubernetes.io/version: v1.18.8
|
|
app.kubernetes.io/part-of: rook-ceph-operator
|
|
app.kubernetes.io/managed-by: Helm
|
|
app.kubernetes.io/created-by: helm
|
|
helm.sh/chart: "rook-ceph-v1.18.8"
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["secrets", "configmaps"]
|
|
verbs:
|
|
# OBC controller creates secrets and configmaps containing information for users about how to
|
|
# connect to object buckets. It deletes them when an OBC is deleted.
|
|
- get
|
|
- create
|
|
- update
|
|
- delete
|
|
- apiGroups: ["storage.k8s.io"]
|
|
resources: ["storageclasses"]
|
|
verbs:
|
|
# OBC controller gets parameters from the OBC's storageclass
|
|
# Rook gets additional parameters from the OBC's storageclass
|
|
- get
|
|
- apiGroups: ["objectbucket.io"]
|
|
resources: ["objectbucketclaims"]
|
|
verbs:
|
|
# OBC controller needs to list/watch OBCs and get latest version of a reconciled OBC
|
|
- list
|
|
- watch
|
|
- get
|
|
# Ideally, update should not be needed, but the OBC controller updates the OBC with bucket
|
|
# information outside of the status subresource
|
|
- update
|
|
# OBC controller does not delete OBCs; users do this
|
|
- apiGroups: ["objectbucket.io"]
|
|
resources: ["objectbuckets"]
|
|
verbs:
|
|
# OBC controller needs to list/watch OBs and get latest version of a reconciled OB
|
|
- list
|
|
- watch
|
|
- get
|
|
# OBC controller creates an OB when an OBC's bucket has been provisioned by Ceph, updates them
|
|
# when an OBC is updated, and deletes them when the OBC is de-provisioned.
|
|
- create
|
|
- update
|
|
- delete
|
|
- apiGroups: ["objectbucket.io"]
|
|
resources: ["objectbucketclaims/status", "objectbuckets/status"]
|
|
verbs:
|
|
# OBC controller updates OBC and OB statuses
|
|
- update
|
|
- apiGroups: ["objectbucket.io"]
|
|
# This does not strictly allow the OBC/OB controllers to update finalizers. That is handled by
|
|
# the direct "update" permissions above. Instead, this allows Rook's controller to create
|
|
# resources which are owned by OBs/OBCs and where blockOwnerDeletion is set.
|
|
resources: ["objectbucketclaims/finalizers", "objectbuckets/finalizers"]
|
|
verbs:
|
|
- update
|