kind: ServiceAccountapiVersion: v1metadata: name: nfs-pod-provisioner-sa---

1. kind: ServiceAccount
2. apiVersion: v1
3. metadata:
4. name: nfs-pod-provisioner-sa
5. ---
6. kind: ClusterRole # Role of kubernetes
7. apiVersion: rbac.authorization.k8s.io/v1 # auth API
8. metadata:
9. name: nfs-provisioner-clusterRole
10. rules:
11. - apiGroups: [""] # rules on persistentvolumes
12. resources: ["persistentvolumes"]
13. verbs: ["get", "list", "watch", "create", "delete"]
14. - apiGroups: [""]
15. resources: ["persistentvolumeclaims"]
16. verbs: ["get", "list", "watch", "update"]
17. - apiGroups: ["storage.k8s.io"]
18. resources: ["storageclasses"]
19. verbs: ["get", "list", "watch"]
20. - apiGroups: [""]
21. resources: ["events"]
22. verbs: ["create", "update", "patch"]
23. ---
24. kind: ClusterRoleBinding
25. apiVersion: rbac.authorization.k8s.io/v1
26. metadata:
27. name: nfs-provisioner-rolebinding
28. subjects:
29. - kind: ServiceAccount
30. name: nfs-pod-provisioner-sa # defined on top of file
31. namespace: default
32. roleRef: # binding cluster role to service account
33. kind: ClusterRole
34. name: nfs-provisioner-clusterRole # name defined in clusterRole
35. apiGroup: rbac.authorization.k8s.io
36. ---
37. kind: Role
38. apiVersion: rbac.authorization.k8s.io/v1
39. metadata:
40. name: nfs-pod-provisioner-otherRoles
41. rules:
42. - apiGroups: [""]
43. resources: ["endpoints"]
44. verbs: ["get", "list", "watch", "create", "update", "patch"]
45. ---
46. kind: RoleBinding
47. apiVersion: rbac.authorization.k8s.io/v1
48. metadata:
49. name: nfs-pod-provisioner-otherRoles
50. subjects:
51. - kind: ServiceAccount
52. name: nfs-pod-provisioner-sa # same as top of the file
53. # replace with namespace where provisioner is deployed
54. namespace: default
55. roleRef:
56. kind: Role
57. name: nfs-pod-provisioner-otherRoles
58. apiGroup: rbac.authorization.k8s.io