| apiVersion: rbac.authorization.k8s.io/v1 |
| kind: ClusterRole |
| metadata: |
| name: longhorn-role |
| labels: {{- include "longhorn.labels" . | nindent 4 }} |
| rules: |
| - apiGroups: |
| - apiextensions.k8s.io |
| resources: |
| - customresourcedefinitions |
| verbs: |
| - "*" |
| - apiGroups: [""] |
| resources: ["pods", "events", "persistentvolumes", "persistentvolumeclaims","persistentvolumeclaims/status", "nodes", "proxy/nodes", "pods/log", "secrets", "services", "endpoints", "configmaps", "serviceaccounts"] |
| verbs: ["*"] |
| - apiGroups: [""] |
| resources: ["namespaces"] |
| verbs: ["get", "list"] |
| - apiGroups: ["apps"] |
| resources: ["daemonsets", "statefulsets", "deployments"] |
| verbs: ["*"] |
| - apiGroups: ["batch"] |
| resources: ["jobs", "cronjobs"] |
| verbs: ["*"] |
| - apiGroups: ["policy"] |
| resources: ["poddisruptionbudgets", "podsecuritypolicies"] |
| verbs: ["*"] |
| - apiGroups: ["scheduling.k8s.io"] |
| resources: ["priorityclasses"] |
| verbs: ["watch", "list"] |
| - apiGroups: ["storage.k8s.io"] |
| resources: ["storageclasses", "volumeattachments", "volumeattachments/status", "csinodes", "csidrivers"] |
| verbs: ["*"] |
| - apiGroups: ["snapshot.storage.k8s.io"] |
| resources: ["volumesnapshotclasses", "volumesnapshots", "volumesnapshotcontents", "volumesnapshotcontents/status"] |
| verbs: ["*"] |
| - apiGroups: ["longhorn.io"] |
| resources: ["volumes", "volumes/status", "engines", "engines/status", "replicas", "replicas/status", "settings", "settings/status", |
| "engineimages", "engineimages/status", "nodes", "nodes/status", "instancemanagers", "instancemanagers/status", |
| {{- if .Values.openshift.enabled }} |
| "engineimages/finalizers", "nodes/finalizers", "instancemanagers/finalizers", |
| {{- end }} |
| "sharemanagers", "sharemanagers/status", "backingimages", "backingimages/status", |
| "backingimagemanagers", "backingimagemanagers/status", "backingimagedatasources", "backingimagedatasources/status", |
| "backuptargets", "backuptargets/status", "backupvolumes", "backupvolumes/status", "backups", "backups/status", |
| "recurringjobs", "recurringjobs/status", "orphans", "orphans/status", "snapshots", "snapshots/status", |
| "supportbundles", "supportbundles/status", "systembackups", "systembackups/status", "systemrestores", "systemrestores/status", |
| "volumeattachments", "volumeattachments/status", "backupbackingimages", "backupbackingimages/status"] |
| verbs: ["*"] |
| - apiGroups: ["coordination.k8s.io"] |
| resources: ["leases"] |
| verbs: ["*"] |
| - apiGroups: ["metrics.k8s.io"] |
| resources: ["pods", "nodes"] |
| verbs: ["get", "list"] |
| - apiGroups: ["apiregistration.k8s.io"] |
| resources: ["apiservices"] |
| verbs: ["list", "watch"] |
| - apiGroups: ["admissionregistration.k8s.io"] |
| resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] |
| verbs: ["get", "list", "create", "patch", "delete"] |
| - apiGroups: ["rbac.authorization.k8s.io"] |
| resources: ["roles", "rolebindings", "clusterrolebindings", "clusterroles"] |
| verbs: ["*"] |
| {{- if .Values.openshift.enabled }} |
| --- |
| apiVersion: rbac.authorization.k8s.io/v1 |
| kind: ClusterRole |
| metadata: |
| name: longhorn-ocp-privileged-role |
| labels: {{- include "longhorn.labels" . | nindent 4 }} |
| rules: |
| - apiGroups: ["security.openshift.io"] |
| resources: ["securitycontextconstraints"] |
| resourceNames: ["anyuid", "privileged"] |
| verbs: ["use"] |
| {{- end }} |