gitea-bot
7a96d06727
This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow. Reviewed-on: #2259 Co-authored-by: gitea-bot <gitea-bot@alexlebens.net> Co-committed-by: gitea-bot <gitea-bot@alexlebens.net>
213 lines
5.6 KiB
YAML
213 lines
5.6 KiB
YAML
---
|
|
# Source: rook-ceph/charts/rook-ceph/templates/clusterrole.yaml
|
|
# The cluster role for managing the Rook CRDs
|
|
# Rook watches for its CRDs in all namespaces, so this should be a cluster-scoped role unless the
|
|
# operator config `ROOK_CURRENT_NAMESPACE_ONLY=true`.
|
|
kind: ClusterRole
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: rook-ceph-global
|
|
labels:
|
|
operator: rook
|
|
storage-backend: ceph
|
|
app.kubernetes.io/name: rook-ceph
|
|
app.kubernetes.io/instance: rook-ceph
|
|
app.kubernetes.io/version: v1.18.8
|
|
app.kubernetes.io/part-of: rook-ceph-operator
|
|
app.kubernetes.io/managed-by: Helm
|
|
app.kubernetes.io/created-by: helm
|
|
helm.sh/chart: "rook-ceph-v1.18.8"
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
# Pod access is needed for fencing
|
|
- pods
|
|
# Node access is needed for determining nodes where mons should run
|
|
- nodes
|
|
- nodes/proxy
|
|
# Rook watches secrets which it uses to configure access to external resources.
|
|
# e.g., external Ceph cluster or object store
|
|
- secrets
|
|
# Rook watches for changes to the rook-operator-config configmap
|
|
- configmaps
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- ""
|
|
- "discovery.k8s.io"
|
|
resources:
|
|
# Rook creates events for its custom resources
|
|
- events
|
|
# Rook creates PVs and PVCs for OSDs managed by the Rook provisioner
|
|
- persistentvolumes
|
|
- persistentvolumeclaims
|
|
# Rook creates endpoints for mgr and object store access
|
|
- endpoints
|
|
- services
|
|
- endpointslices
|
|
- endpointslices/restricted
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- patch
|
|
- create
|
|
- update
|
|
- delete
|
|
- apiGroups:
|
|
- storage.k8s.io
|
|
resources:
|
|
- storageclasses
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- apiGroups:
|
|
- batch
|
|
resources:
|
|
- jobs
|
|
- cronjobs
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- create
|
|
- update
|
|
- delete
|
|
- deletecollection
|
|
# The Rook operator must be able to watch all ceph.rook.io resources to reconcile them.
|
|
- apiGroups: ["ceph.rook.io"]
|
|
resources:
|
|
- cephclients
|
|
- cephclusters
|
|
- cephblockpools
|
|
- cephfilesystems
|
|
- cephnfses
|
|
- cephobjectstores
|
|
- cephobjectstoreusers
|
|
- cephobjectrealms
|
|
- cephobjectzonegroups
|
|
- cephobjectzones
|
|
- cephbuckettopics
|
|
- cephbucketnotifications
|
|
- cephrbdmirrors
|
|
- cephfilesystemmirrors
|
|
- cephfilesystemsubvolumegroups
|
|
- cephblockpoolradosnamespaces
|
|
- cephcosidrivers
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
# Ideally the update permission is not required, but Rook needs it to add finalizers to resources.
|
|
- update
|
|
# Rook must have update access to status subresources for its custom resources.
|
|
- apiGroups: ["ceph.rook.io"]
|
|
resources:
|
|
- cephclients/status
|
|
- cephclusters/status
|
|
- cephblockpools/status
|
|
- cephfilesystems/status
|
|
- cephnfses/status
|
|
- cephobjectstores/status
|
|
- cephobjectstoreusers/status
|
|
- cephobjectrealms/status
|
|
- cephobjectzonegroups/status
|
|
- cephobjectzones/status
|
|
- cephbuckettopics/status
|
|
- cephbucketnotifications/status
|
|
- cephrbdmirrors/status
|
|
- cephfilesystemmirrors/status
|
|
- cephfilesystemsubvolumegroups/status
|
|
- cephblockpoolradosnamespaces/status
|
|
verbs: ["update"]
|
|
# The "*/finalizers" permission may need to be strictly given for K8s clusters where
|
|
# OwnerReferencesPermissionEnforcement is enabled so that Rook can set blockOwnerDeletion on
|
|
# resources owned by Rook CRs (e.g., a Secret owned by an OSD Deployment). See more:
|
|
# https://kubernetes.io/docs/reference/access-authn-authz/_print/#ownerreferencespermissionenforcement
|
|
- apiGroups: ["ceph.rook.io"]
|
|
resources:
|
|
- cephclients/finalizers
|
|
- cephclusters/finalizers
|
|
- cephblockpools/finalizers
|
|
- cephfilesystems/finalizers
|
|
- cephnfses/finalizers
|
|
- cephobjectstores/finalizers
|
|
- cephobjectstoreusers/finalizers
|
|
- cephobjectrealms/finalizers
|
|
- cephobjectzonegroups/finalizers
|
|
- cephobjectzones/finalizers
|
|
- cephbuckettopics/finalizers
|
|
- cephbucketnotifications/finalizers
|
|
- cephrbdmirrors/finalizers
|
|
- cephfilesystemmirrors/finalizers
|
|
- cephfilesystemsubvolumegroups/finalizers
|
|
- cephblockpoolradosnamespaces/finalizers
|
|
verbs: ["update"]
|
|
- apiGroups:
|
|
- policy
|
|
- apps
|
|
- extensions
|
|
resources:
|
|
# This is for the clusterdisruption controller
|
|
- poddisruptionbudgets
|
|
# This is for both clusterdisruption and nodedrain controllers
|
|
- deployments
|
|
- replicasets
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- create
|
|
- update
|
|
- delete
|
|
- deletecollection
|
|
- apiGroups:
|
|
- apps
|
|
resources:
|
|
# This is to add osd deployment owner ref on key rotation
|
|
# cron jobs.
|
|
- deployments/finalizers
|
|
verbs:
|
|
- update
|
|
- apiGroups:
|
|
- healthchecking.openshift.io
|
|
resources:
|
|
- machinedisruptionbudgets
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- create
|
|
- update
|
|
- delete
|
|
- apiGroups:
|
|
- machine.openshift.io
|
|
resources:
|
|
- machines
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
- create
|
|
- update
|
|
- delete
|
|
- apiGroups:
|
|
- storage.k8s.io
|
|
resources:
|
|
- csidrivers
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- get
|
|
- update
|
|
- apiGroups:
|
|
- k8s.cni.cncf.io
|
|
resources:
|
|
- network-attachment-definitions
|
|
verbs:
|
|
- get
|