Skip to content

Commit

Permalink
build: add rbac for default sa
Browse files Browse the repository at this point in the history 
rook csv doesnt contain the default
service account

recently we added default sa for most
of the ceph daemons but it didnt have the
rbacs, so added the rbacs to it
so rook csv can generate default sa

Signed-off-by: parth-gr <partharora1010@gmail.com>
(cherry picked from commit d27cfbd)
  • Loading branch information
@parth-gr
parth-gr committed Mar 13, 2024
1 parent 503f0b3 commit f208577
Show file tree
Hide file tree
Showing 3 changed files with 48 additions and 0 deletions.
10 changes: 10 additions & 0 deletions deploy/charts/library/templates/_cluster-role.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -148,4 +148,14 @@ rules:
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "update", "delete", "list"]
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rook-ceph-default
namespace: {{ .Release.Namespace }} # namespace:cluster
rules:
- apiGroups: [""]
resources: [""]
verbs: [""]
{{- end }}
14 changes: 14 additions & 0 deletions deploy/charts/library/templates/_cluster-rolebinding.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -105,4 +105,18 @@ subjects:
- kind: ServiceAccount
name: rook-ceph-purge-osd
namespace: {{ .Release.Namespace }} # namespace:cluster
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rook-ceph-default
namespace: {{ .Release.Namespace }} # namespace:cluster
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: rook-ceph-default
subjects:
- kind: ServiceAccount
name: rook-ceph-default
namespace: {{ .Release.Namespace }} # namespace:cluster
{{- end }}
24 changes: 24 additions & 0 deletions deploy/examples/common.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -790,6 +790,16 @@ rules:
- update
- delete
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rook-ceph-default
namespace: rook-ceph # namespace:cluster
rules:
- apiGroups: [""]
resources: [""]
verbs: [""]
---
# Aspects of ceph-mgr that operate within the cluster's namespace
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
Expand Down Expand Up @@ -1052,6 +1062,20 @@ subjects:
name: rook-ceph-cmd-reporter
namespace: rook-ceph # namespace:cluster
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rook-ceph-default
namespace: rook-ceph # namespace:cluster
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: rook-ceph-default
subjects:
- kind: ServiceAccount
name: rook-ceph-default
namespace: rook-ceph # namespace:cluster
---
# Allow the ceph mgr to access resources scoped to the CephCluster namespace necessary for mgr modules
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
Expand Down

0 comments on commit f208577

Please sign in to comment.