| gio | c9b92b1 | 2025-05-22 08:57:18 +0400 | [diff] [blame^] | 1 | apiVersion: rbac.authorization.k8s.io/v1 |
| 2 | kind: ClusterRole |
| 3 | metadata: |
| 4 | name: longhorn-role |
| 5 | labels: {{- include "longhorn.labels" . | nindent 4 }} |
| 6 | rules: |
| 7 | - apiGroups: |
| 8 | - apiextensions.k8s.io |
| 9 | resources: |
| 10 | - customresourcedefinitions |
| 11 | verbs: |
| 12 | - "*" |
| 13 | - apiGroups: [""] |
| 14 | resources: ["pods", "events", "persistentvolumes", "persistentvolumeclaims","persistentvolumeclaims/status", "nodes", "proxy/nodes", "pods/log", "secrets", "services", "endpoints", "configmaps", "serviceaccounts"] |
| 15 | verbs: ["*"] |
| 16 | - apiGroups: [""] |
| 17 | resources: ["namespaces"] |
| 18 | verbs: ["get", "list"] |
| 19 | - apiGroups: ["apps"] |
| 20 | resources: ["daemonsets", "statefulsets", "deployments"] |
| 21 | verbs: ["*"] |
| 22 | - apiGroups: ["batch"] |
| 23 | resources: ["jobs", "cronjobs"] |
| 24 | verbs: ["*"] |
| 25 | - apiGroups: ["policy"] |
| 26 | resources: ["poddisruptionbudgets", "podsecuritypolicies"] |
| 27 | verbs: ["*"] |
| 28 | - apiGroups: ["scheduling.k8s.io"] |
| 29 | resources: ["priorityclasses"] |
| 30 | verbs: ["watch", "list"] |
| 31 | - apiGroups: ["storage.k8s.io"] |
| 32 | resources: ["storageclasses", "volumeattachments", "volumeattachments/status", "csinodes", "csidrivers"] |
| 33 | verbs: ["*"] |
| 34 | - apiGroups: ["snapshot.storage.k8s.io"] |
| 35 | resources: ["volumesnapshotclasses", "volumesnapshots", "volumesnapshotcontents", "volumesnapshotcontents/status"] |
| 36 | verbs: ["*"] |
| 37 | - apiGroups: ["longhorn.io"] |
| 38 | resources: ["volumes", "volumes/status", "engines", "engines/status", "replicas", "replicas/status", "settings", |
| 39 | "engineimages", "engineimages/status", "nodes", "nodes/status", "instancemanagers", "instancemanagers/status", |
| 40 | {{- if .Values.openshift.enabled }} |
| 41 | "engineimages/finalizers", "nodes/finalizers", "instancemanagers/finalizers", |
| 42 | {{- end }} |
| 43 | "sharemanagers", "sharemanagers/status", "backingimages", "backingimages/status", |
| 44 | "backingimagemanagers", "backingimagemanagers/status", "backingimagedatasources", "backingimagedatasources/status", |
| 45 | "backuptargets", "backuptargets/status", "backupvolumes", "backupvolumes/status", "backups", "backups/status", |
| 46 | "recurringjobs", "recurringjobs/status", "orphans", "orphans/status", "snapshots", "snapshots/status", |
| 47 | "supportbundles", "supportbundles/status", "systembackups", "systembackups/status", "systemrestores", "systemrestores/status", |
| 48 | "volumeattachments", "volumeattachments/status", "backupbackingimages", "backupbackingimages/status"] |
| 49 | verbs: ["*"] |
| 50 | - apiGroups: ["coordination.k8s.io"] |
| 51 | resources: ["leases"] |
| 52 | verbs: ["*"] |
| 53 | - apiGroups: ["metrics.k8s.io"] |
| 54 | resources: ["pods", "nodes"] |
| 55 | verbs: ["get", "list"] |
| 56 | - apiGroups: ["apiregistration.k8s.io"] |
| 57 | resources: ["apiservices"] |
| 58 | verbs: ["list", "watch"] |
| 59 | - apiGroups: ["admissionregistration.k8s.io"] |
| 60 | resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] |
| 61 | verbs: ["get", "list", "create", "patch", "delete"] |
| 62 | - apiGroups: ["rbac.authorization.k8s.io"] |
| 63 | resources: ["roles", "rolebindings", "clusterrolebindings", "clusterroles"] |
| 64 | verbs: ["*"] |
| 65 | {{- if .Values.openshift.enabled }} |
| 66 | --- |
| 67 | apiVersion: rbac.authorization.k8s.io/v1 |
| 68 | kind: ClusterRole |
| 69 | metadata: |
| 70 | name: longhorn-ocp-privileged-role |
| 71 | labels: {{- include "longhorn.labels" . | nindent 4 }} |
| 72 | rules: |
| 73 | - apiGroups: ["security.openshift.io"] |
| 74 | resources: ["securitycontextconstraints"] |
| 75 | resourceNames: ["anyuid", "privileged"] |
| 76 | verbs: ["use"] |
| 77 | {{- end }} |