diff --git a/nfs-provisioner/templates/clusterrole.yaml b/nfs-provisioner/templates/clusterrole.yaml new file mode 100644 index 000000000..d5c91809f --- /dev/null +++ b/nfs-provisioner/templates/clusterrole.yaml @@ -0,0 +1,76 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.clusterrole }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: nfs-provisioner-runner +rules: + - apiGroups: + - '' + resources: + - persistentvolumes + verbs: + - get + - list + - watch + - create + - delete + - apiGroups: + - '' + resources: + - persistentvolumeclaims + verbs: + - get + - list + - watch + - update + - apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - events + verbs: + - list + - watch + - create + - update + - patch + - apiGroups: + - '' + resources: + - services + - endpoints + verbs: + - get + - apiGroups: + - extensions + resources: + - podsecuritypolicies + resourceNames: + - nfs-provisioner + verbs: + - use +{{- end }} diff --git a/nfs-provisioner/templates/clusterrolebinding.yaml b/nfs-provisioner/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..9b1b22461 --- /dev/null +++ b/nfs-provisioner/templates/clusterrolebinding.yaml @@ -0,0 +1,30 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.clusterrolebinding }} +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: run-nfs-provisioner +subjects: + - kind: ServiceAccount + name: nfs-provisioner + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: nfs-provisioner-runner + apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/nfs-provisioner/templates/deployment.yaml b/nfs-provisioner/templates/deployment.yaml index df41be211..3293d03e2 100644 --- a/nfs-provisioner/templates/deployment.yaml +++ b/nfs-provisioner/templates/deployment.yaml @@ -35,6 +35,7 @@ spec: labels: {{ tuple $envAll "nfs" "provisioner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccount: nfs-provisioner affinity: {{ tuple $envAll "nfs" "provisioner" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: diff --git a/nfs-provisioner/templates/serviceaccount.yaml b/nfs-provisioner/templates/serviceaccount.yaml new file mode 100644 index 000000000..3497e5363 --- /dev/null +++ b/nfs-provisioner/templates/serviceaccount.yaml @@ -0,0 +1,22 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.serviceaccount }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: nfs-provisioner +{{- end }} diff --git a/nfs-provisioner/values.yaml b/nfs-provisioner/values.yaml index 88cdd4a79..f3cc1cf80 100644 --- a/nfs-provisioner/values.yaml +++ b/nfs-provisioner/values.yaml @@ -111,8 +111,11 @@ endpoints: manifests: configmap_bin: true + clusterrole: true + clusterrolebinding: true deployment: true job_image_repo_sync: true rbac_entrypoint: true service: true + serviceaccount: true storage_class: true