Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- kind: ServiceAccount
- apiVersion: v1
- metadata:
- name: nfs-pod-provisioner-sa
- ---
- kind: ClusterRole # Role of kubernetes
- apiVersion: rbac.authorization.k8s.io/v1 # auth API
- metadata:
- name: nfs-provisioner-clusterRole
- rules:
- - apiGroups: [""] # rules on persistentvolumes
- resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "create", "delete"]
- - apiGroups: [""]
- resources: ["persistentvolumeclaims"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: ["storage.k8s.io"]
- resources: ["storageclasses"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["events"]
- verbs: ["create", "update", "patch"]
- ---
- kind: ClusterRoleBinding
- apiVersion: rbac.authorization.k8s.io/v1
- metadata:
- name: nfs-provisioner-rolebinding
- subjects:
- - kind: ServiceAccount
- name: nfs-pod-provisioner-sa # defined on top of file
- namespace: default
- roleRef: # binding cluster role to service account
- kind: ClusterRole
- name: nfs-provisioner-clusterRole # name defined in clusterRole
- apiGroup: rbac.authorization.k8s.io
- ---
- kind: Role
- apiVersion: rbac.authorization.k8s.io/v1
- metadata:
- name: nfs-pod-provisioner-otherRoles
- rules:
- - apiGroups: [""]
- resources: ["endpoints"]
- verbs: ["get", "list", "watch", "create", "update", "patch"]
- ---
- kind: RoleBinding
- apiVersion: rbac.authorization.k8s.io/v1
- metadata:
- name: nfs-pod-provisioner-otherRoles
- subjects:
- - kind: ServiceAccount
- name: nfs-pod-provisioner-sa # same as top of the file
- # replace with namespace where provisioner is deployed
- namespace: default
- roleRef:
- kind: Role
- name: nfs-pod-provisioner-otherRoles
- apiGroup: rbac.authorization.k8s.io
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement