vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/external-attacher/rbac.yaml - cloudstack-kubernetes-provider - Git at Google

 # This YAML file contains all RBAC objects that are necessary to run external
 # CSI attacher.
 #
 # In production, each CSI driver deployment has to be customized:
 # - to avoid conflicts, use non-default namespace and different names
 #   for non-namespaced entities like the ClusterRole
 # - decide whether the deployment replicates the external CSI
 #   attacher, in which case leadership election must be enabled;
 #   this influences the RBAC setup, see below

 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: csi-attacher
   # replace with non-default namespace name
   namespace: default

 ---
 # Attacher must be able to work with PVs, nodes and VolumeAttachments
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: external-attacher-runner
 rules:
   - apiGroups: [""]
     resources: ["persistentvolumes"]
     verbs: ["get", "list", "watch", "update"]
   - apiGroups: [""]
     resources: ["nodes"]
     verbs: ["get", "list", "watch"]
   - apiGroups: ["csi.storage.k8s.io"]
     resources: ["csinodeinfos"]
     verbs: ["get", "list", "watch"]
   - apiGroups: ["storage.k8s.io"]
     resources: ["volumeattachments"]
     verbs: ["get", "list", "watch", "update"]

 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: csi-attacher-role
 subjects:
   - kind: ServiceAccount
     name: csi-attacher
     # replace with non-default namespace name
     namespace: default
 roleRef:
   kind: ClusterRole
   name: external-attacher-runner
   apiGroup: rbac.authorization.k8s.io

 ---
 # Attacher must be able to work with config map in current namespace
 # if (and only if) leadership election is enabled
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   # replace with non-default namespace name
   namespace: default
   name: external-attacher-cfg
 rules:
 - apiGroups: [""]
   resources: ["configmaps"]
   verbs: ["get", "watch", "list", "delete", "update", "create"]

 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: csi-attacher-role-cfg
   # replace with non-default namespace name
   namespace: default
 subjects:
   - kind: ServiceAccount
     name: csi-attacher
     # replace with non-default namespace name
     namespace: default
 roleRef:
   kind: Role
   name: external-attacher-cfg
   apiGroup: rbac.authorization.k8s.io
	# This YAML file contains all RBAC objects that are necessary to run external
	# CSI attacher.
	#
	# In production, each CSI driver deployment has to be customized:
	# - to avoid conflicts, use non-default namespace and different names
	# for non-namespaced entities like the ClusterRole
	# - decide whether the deployment replicates the external CSI
	# attacher, in which case leadership election must be enabled;
	# this influences the RBAC setup, see below

	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: csi-attacher
	# replace with non-default namespace name
	namespace: default

	---
	# Attacher must be able to work with PVs, nodes and VolumeAttachments
	kind: ClusterRole
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	name: external-attacher-runner
	rules:
	- apiGroups: [""]
	resources: ["persistentvolumes"]
	verbs: ["get", "list", "watch", "update"]
	- apiGroups: [""]
	resources: ["nodes"]
	verbs: ["get", "list", "watch"]
	- apiGroups: ["csi.storage.k8s.io"]
	resources: ["csinodeinfos"]
	verbs: ["get", "list", "watch"]
	- apiGroups: ["storage.k8s.io"]
	resources: ["volumeattachments"]
	verbs: ["get", "list", "watch", "update"]

	---
	kind: ClusterRoleBinding
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	name: csi-attacher-role
	subjects:
	- kind: ServiceAccount
	name: csi-attacher
	# replace with non-default namespace name
	namespace: default
	roleRef:
	kind: ClusterRole
	name: external-attacher-runner
	apiGroup: rbac.authorization.k8s.io

	---
	# Attacher must be able to work with config map in current namespace
	# if (and only if) leadership election is enabled
	kind: Role
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	# replace with non-default namespace name
	namespace: default
	name: external-attacher-cfg
	rules:
	- apiGroups: [""]
	resources: ["configmaps"]
	verbs: ["get", "watch", "list", "delete", "update", "create"]

	---
	kind: RoleBinding
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	name: csi-attacher-role-cfg
	# replace with non-default namespace name
	namespace: default
	subjects:
	- kind: ServiceAccount
	name: csi-attacher
	# replace with non-default namespace name
	namespace: default
	roleRef:
	kind: Role
	name: external-attacher-cfg
	apiGroup: rbac.authorization.k8s.io