Removed extra serviceAccount from cephfs-provisioner
cephfs-provisioner may need to create new resources in the kubernetes cluster. It was granted access to some of the resources including namespaces but when https://review.opendev.org/c/starlingx/platform-armada-app/+/778746 got merged the serviceAccount was changed. I have updated the serviceAccount with access to creating new namespaces and secrets. The serviceAccount that was initially used to create namespaces and secrets is not needed anymore, so I have removed it. Closes-bug: 1921197 Change-Id: I3c683776f3ecaf9c78d1a6b5b1108e9582497dde Signed-off-by: Daniel Safta <daniel.safta@windriver.com>
This commit is contained in:
parent
45fd0a6b2c
commit
1021d50142
|
@ -8,72 +8,6 @@
|
|||
|
||||
{{- $defaults := .Values.classdefaults }}
|
||||
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ $defaults.rbacConfigName }}
|
||||
namespace: {{ $defaults.cephFSNamespace }}
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch", "create", "delete"]
|
||||
- apiGroups: [""]
|
||||
resources: ["namespaces"]
|
||||
verbs: ["get", "create", "list", "update"]
|
||||
---
|
||||
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ $defaults.rbacConfigName }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ $defaults.rbacConfigName }}
|
||||
namespace: {{ $defaults.cephFSNamespace }}
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: {{ $defaults.rbacConfigName }}
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ $defaults.rbacConfigName }}
|
||||
namespace: {{ $defaults.cephFSNamespace }}
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["create", "get", "delete"]
|
||||
- apiGroups: [""]
|
||||
resources: ["endpoints"]
|
||||
verbs: ["get", "list", "watch", "create", "update", "patch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["namespaces"]
|
||||
verbs: ["get", "create", "list", "update"]
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ $defaults.rbacConfigName }}
|
||||
namespace: {{ $defaults.cephFSNamespace }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ $defaults.rbacConfigName }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ $defaults.rbacConfigName }}
|
||||
---
|
||||
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ $defaults.rbacConfigName }}
|
||||
namespace: {{ $defaults.cephFSNamespace }}
|
||||
---
|
||||
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
|
@ -96,6 +30,12 @@ rules:
|
|||
resources: ["services"]
|
||||
resourceNames: ["kube-dns","coredns"]
|
||||
verbs: ["list", "get"]
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "list", "watch", "create", "delete"]
|
||||
- apiGroups: [""]
|
||||
resources: ["namespaces"]
|
||||
verbs: ["get", "create", "list", "update"]
|
||||
---
|
||||
|
||||
kind: ClusterRoleBinding
|
||||
|
@ -124,6 +64,10 @@ rules:
|
|||
- apiGroups: [""]
|
||||
resources: ["endpoints"]
|
||||
verbs: ["get", "list", "watch", "create", "update", "patch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["namespaces"]
|
||||
verbs: ["get", "create", "list", "update"]
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
|
|
|
@ -73,7 +73,6 @@ classdefaults:
|
|||
- 192.168.204.2:6789
|
||||
provisionerConfigName: cephfs-provisioner
|
||||
provisionerName: ceph.com/cephfs
|
||||
rbacConfigName: cephfs-provisioner-keyring
|
||||
|
||||
# Configure storage classes.
|
||||
# This section should be tailored to your setup. It allows you to define multiple storage
|
||||
|
|
Loading…
Reference in New Issue