--- kind: ServiceAccount apiVersion: v1 metadata: name: hpe-csi-controller-sa namespace: {{ .Release.Namespace }} --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: hpe-csi-provisioner-role rules: - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list"] - apiGroups: [""] resources: ["namespaces"] verbs: ["get", "list", "create"] - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list"] - apiGroups: [""] resources: ["serviceaccounts"] verbs: ["get", "list", "create"] - apiGroups: [""] resources: ["configmaps"] verbs: ["get", "create"] - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "create", "delete", "update"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["create", "get", "list", "watch", "update", "delete"] - apiGroups: [""] resources: ["services"] verbs: ["create", "get", "list", "watch", "update", "delete"] - apiGroups: ["apps"] resources: ["deployments"] verbs: ["create", "get", "list", "watch", "update", "delete"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["events"] verbs: ["list", "watch", "create", "update", "patch"] {{- if and (eq .Capabilities.KubeVersion.Major "1") ( ge ( trimSuffix "+" .Capabilities.KubeVersion.Minor ) "17") }} - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshots"] verbs: ["get", "list"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotcontents"] verbs: ["get", "list"] {{- end }} - apiGroups: [""] resources: ["pods"] verbs: ["get", "list", "delete"] - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments"] verbs: ["get", "list", "watch", "update", "patch", "delete"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: hpe-csi-provisioner-binding subjects: - kind: ServiceAccount name: hpe-csi-controller-sa namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole name: hpe-csi-provisioner-role apiGroup: rbac.authorization.k8s.io --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: hpe-csi-attacher-role rules: - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "update", "patch"] - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments"] verbs: ["get", "list", "watch", "update", "patch"] - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments/status"] verbs: ["get", "list", "watch", "update", "create", "delete", "patch"] - apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"] {{- if and (eq .Capabilities.KubeVersion.Major "1") ( eq ( trimSuffix "+" .Capabilities.KubeVersion.Minor ) "12") }} resources: ["csinodeinfos"] verbs: ["get", "list", "watch"] {{- else if and (eq .Capabilities.KubeVersion.Major "1") ( eq ( trimSuffix "+" .Capabilities.KubeVersion.Minor ) "13") }} - apiGroups: ["csi.storage.k8s.io"] resources: ["csinodeinfos"] verbs: ["get", "list", "watch"] {{ else }} - apiGroups: ["storage.k8s.io"] resources: ["csinodes"] verbs: ["get", "list", "watch"] {{- end }} --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: hpe-csi-attacher-binding subjects: - kind: ServiceAccount name: hpe-csi-controller-sa namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole name: hpe-csi-attacher-role apiGroup: rbac.authorization.k8s.io {{- if and (eq .Capabilities.KubeVersion.Major "1") ( ge ( trimSuffix "+" .Capabilities.KubeVersion.Minor ) "17") }} --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: hpe-csi-snapshotter-role rules: - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list"] - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "create", "delete"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "list", "watch", "update"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["events"] verbs: ["list", "watch", "create", "update", "patch"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshots"] verbs: ["create", "update", "delete", "get", "list", "watch"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshots/status"] verbs: ["update"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotcontents"] verbs: ["create", "update", "delete", "get", "list", "watch", "patch"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotcontents/status"] verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotclasses"] verbs: ["get", "list", "watch"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "watch", "create", "delete", "update"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: hpe-csi-snapshotter-binding subjects: - kind: ServiceAccount name: hpe-csi-controller-sa namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole name: hpe-csi-snapshotter-role apiGroup: rbac.authorization.k8s.io {{- end }} {{- if and (eq .Capabilities.KubeVersion.Major "1") ( ge ( trimSuffix "+" .Capabilities.KubeVersion.Minor ) "15") }} --- # Resizer must be able to work with PVCs, PVs, SCs. kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: external-resizer-role rules: - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "update", "patch"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["persistentvolumeclaims/status"] verbs: ["update", "patch"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["events"] verbs: ["list", "watch", "create", "update", "patch"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: csi-resizer-role subjects: - kind: ServiceAccount name: hpe-csi-controller-sa namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole name: external-resizer-role apiGroup: rbac.authorization.k8s.io --- # Resizer must be able to work with end point in current namespace # if (and only if) leadership election is enabled kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: {{ .Release.Namespace }} name: external-resizer-cfg rules: - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "watch", "list", "delete", "update", "create"] --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: csi-resizer-role-cfg namespace: {{ .Release.Namespace }} subjects: - kind: ServiceAccount name: hpe-csi-controller-sa namespace: {{ .Release.Namespace }} roleRef: kind: Role name: external-resizer-cfg apiGroup: rbac.authorization.k8s.io --- # cluster role to support volumegroup kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: hpe-csi-volumegroup-role rules: - apiGroups: ["storage.hpe.com"] resources: ["volumegroups"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["storage.hpe.com"] resources: ["volumegroupcontents"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["storage.hpe.com"] resources: ["volumegroupclasses"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["storage.hpe.com"] resources: ["volumegroups/status"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["storage.hpe.com"] resources: ["volumegroupcontents/status"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: [""] resources: ["namespaces"] verbs: ["get", "list", "create"] - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "create", "delete"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["create", "get", "list", "watch", "update", "delete"] - apiGroups: [""] resources: ["persistentvolumeclaims/status"] verbs: ["update", "patch"] - apiGroups: [""] resources: ["events"] verbs: ["list", "watch", "create", "update", "patch"] - apiGroups: [""] resources: ["secrets"] verbs: ["get"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["create", "list", "watch", "delete", "get", "update"] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "watch", "list", "delete", "update", "create"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: hpe-csi-volumegroup-binding subjects: - kind: ServiceAccount name: hpe-csi-controller-sa namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole name: hpe-csi-volumegroup-role apiGroup: rbac.authorization.k8s.io --- # cluster role to support snapshotgroup kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: hpe-csi-snapshotgroup-role rules: - apiGroups: ["storage.hpe.com"] resources: ["snapshotgroups"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["storage.hpe.com"] resources: ["snapshotgroupcontents"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["storage.hpe.com"] resources: ["snapshotgroupclasses"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["storage.hpe.com"] resources: ["snapshotgroups/status"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["storage.hpe.com"] resources: ["snapshotgroupcontents/status"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: [""] resources: ["namespaces"] verbs: ["get", "list", "create"] - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "create", "delete"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["create", "get", "list", "watch", "update", "delete"] - apiGroups: [""] resources: ["persistentvolumeclaims/status"] verbs: ["update", "patch"] - apiGroups: [""] resources: ["events"] verbs: ["list", "watch", "create", "update", "patch"] - apiGroups: [""] resources: ["secrets"] verbs: ["get"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["create", "list", "watch", "delete", "get", "update"] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "watch", "list", "delete", "update", "create"] - apiGroups: ["storage.hpe.com"] resources: ["volumegroups"] verbs: ["get", "list", "watch"] - apiGroups: ["storage.hpe.com"] resources: ["volumegroupcontents"] verbs: ["get", "list", "watch"] - apiGroups: ["storage.hpe.com"] resources: ["volumegroupclasses"] verbs: ["get", "list", "watch"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotcontents"] verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotcontents/status"] verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshots"] verbs: ["create", "get", "list", "watch", "update", "delete"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshots/status"] verbs: ["update"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotclasses"] verbs: ["get", "list"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: hpe-csi-snapshotgroup-binding subjects: - kind: ServiceAccount name: hpe-csi-controller-sa namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole name: hpe-csi-snapshotgroup-role apiGroup: rbac.authorization.k8s.io --- # mutator must be able to work with PVCs, PVs, SCs. kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: csi-mutator-role rules: - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "update", "patch"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["persistentvolumeclaims/status"] verbs: ["update", "patch"] - apiGroups: [""] resources: ["events"] verbs: ["list", "watch", "create", "update", "patch"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: csi-mutator-binding subjects: - kind: ServiceAccount name: hpe-csi-controller-sa # replace with non-default namespace name namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole name: csi-mutator-role apiGroup: rbac.authorization.k8s.io --- # mutator must be able to work with end point in current namespace # if (and only if) leadership election is enabled kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: {{ .Release.Namespace }} name: csi-mutator-cfg rules: - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "watch", "list", "delete", "update", "create"] --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: csi-mutator-role-cfg namespace: {{ .Release.Namespace }} subjects: - kind: ServiceAccount name: hpe-csi-controller-sa namespace: {{ .Release.Namespace }} roleRef: kind: Role name: csi-mutator-cfg apiGroup: rbac.authorization.k8s.io {{- end }} --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: hpe-csi-driver-role rules: - apiGroups: ["storage.hpe.com"] resources: ["hpenodeinfos"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["storage.hpe.com"] resources: ["hpevolumeinfos"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["storage.hpe.com"] resources: ["hpereplicationdeviceinfos"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["storage.hpe.com"] resources: ["hpevolumegroupinfos"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["storage.hpe.com"] resources: ["hpesnapshotgroupinfos"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: [""] resources: ["pods"] verbs: ["get", "list"] - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list"] - apiGroups: [""] resources: ["services"] verbs: ["get"] - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list"] - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "list"] - apiGroups: [""] resources: ["namespaces"] verbs: ["get", "list"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list", "watch"] --- apiVersion: v1 kind: ServiceAccount metadata: name: hpe-csi-node-sa namespace: {{ .Release.Namespace }} --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: hpe-csi-driver-binding subjects: - kind: ServiceAccount name: hpe-csi-controller-sa namespace: {{ .Release.Namespace }} - kind: ServiceAccount name: hpe-csi-node-sa namespace: {{ .Release.Namespace }} - kind: ServiceAccount name: hpe-csp-sa namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole name: hpe-csi-driver-role apiGroup: rbac.authorization.k8s.io --- kind: ServiceAccount apiVersion: v1 metadata: name: hpe-csp-sa namespace: {{ .Release.Namespace }}