infrastructure/clusters/cl01tl/manifests/rook-ceph/ClusterRole-rook-ceph-system.yml

---
# Source: rook-ceph/charts/rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: rook-ceph-system
  labels:
    operator: rook
    storage-backend: ceph
    app.kubernetes.io/name: rook-ceph
    app.kubernetes.io/instance: rook-ceph
    app.kubernetes.io/version: v1.18.8
    app.kubernetes.io/part-of: rook-ceph-operator
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/created-by: helm
    helm.sh/chart: "rook-ceph-v1.18.8"
rules:
  # Most resources are represented by a string representation of their name, such as "pods", just as it appears in the URL for the relevant API endpoint.
  # However, some Kubernetes APIs involve a "subresource", such as the logs for a pod. [...]
  # To represent this in an RBAC role, use a slash to delimit the resource and subresource.
  # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources
  - apiGroups: [""]
    resources: ["pods", "pods/log"]
    verbs: ["get", "list"]
  - apiGroups: [""]
    resources: ["pods/exec"]
    verbs: ["create"]
  - apiGroups: ["csiaddons.openshift.io"]
    resources: ["networkfences"]
    verbs: ["create", "get", "update", "delete", "watch", "list", "deletecollection"]
  - apiGroups: ["apiextensions.k8s.io"]
    resources: ["customresourcedefinitions"]
    verbs: ["get"]
  - apiGroups: ["csi.ceph.io"]
    resources: ["cephconnections"]
    verbs: ["create", "delete", "get", "list", "update", "watch"]
  - apiGroups: ["csi.ceph.io"]
    resources: ["clientprofiles"]
    verbs: ["create", "delete", "get", "list", "update", "watch"]
  - apiGroups: ["csi.ceph.io"]
    resources: ["operatorconfigs"]
    verbs: ["create", "delete", "get", "list", "update", "watch"]
  - apiGroups: ["csi.ceph.io"]
    resources: ["drivers"]
    verbs: ["create", "delete", "get", "list", "update", "watch"]