Skip to content

Commit 910b2de

Browse files
authored
Merge pull request #215 from bipuladh/fix-rbac
Fix RBAC permissions for CSI addons security enhancements
2 parents 8a68bcc + fef04fa commit 910b2de

14 files changed

+63
-63
lines changed

config/csi-rbac/cephfs_ctrlplugin_cluster_role.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -63,3 +63,6 @@ rules:
6363
- apiGroups: [""]
6464
resources: ["serviceaccounts/token"]
6565
verbs: ["create"]
66+
- apiGroups: ["authentication.k8s.io"]
67+
resources: ["tokenreviews"]
68+
verbs: ["create"]

config/csi-rbac/cephfs_ctrlplugin_role.yaml

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,3 @@ rules:
1818
- apiGroups: ["apps"]
1919
resources: ["deployments/finalizers", "daemonsets/finalizers"]
2020
verbs: ["update"]
21-
- apiGroups: ["authentication.k8s.io"]
22-
resources: ["tokenreviews"]
23-
verbs: ["create"]

config/csi-rbac/rbd_ctrlplugin_cluster_role.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -69,3 +69,6 @@ rules:
6969
- apiGroups: ["replication.storage.openshift.io"]
7070
resources: ["volumegroupreplicationclasses"]
7171
verbs: ["get", "list", "watch"]
72+
- apiGroups: ["authentication.k8s.io"]
73+
resources: ["tokenreviews"]
74+
verbs: ["create"]

config/csi-rbac/rbd_ctrlplugin_role.yaml

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,3 @@ rules:
1818
- apiGroups: ["apps"]
1919
resources: ["deployments/finalizers", "daemonsets/finalizers"]
2020
verbs: ["update"]
21-
- apiGroups: ["authentication.k8s.io"]
22-
resources: ["tokenreviews"]
23-
verbs: ["create"]

config/csi-rbac/rbd_nodeplugin_cluster_role.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,3 +24,6 @@ rules:
2424
- apiGroups: [""]
2525
resources: ["nodes"]
2626
verbs: ["get"]
27+
- apiGroups: ["authentication.k8s.io"]
28+
resources: ["tokenreviews"]
29+
verbs: ["create"]

config/csi-rbac/rbd_nodeplugin_role.yaml

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,3 @@ rules:
1515
- apiGroups: ["apps"]
1616
resources: ["deployments/finalizers", "daemonsets/finalizers"]
1717
verbs: ["update"]
18-
- apiGroups: ["authentication.k8s.io"]
19-
resources: ["tokenreviews"]
20-
verbs: ["create"]

deploy/all-in-one/install.yaml

Lines changed: 18 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -14130,12 +14130,6 @@ rules:
1413014130
- daemonsets/finalizers
1413114131
verbs:
1413214132
- update
14133-
- apiGroups:
14134-
- authentication.k8s.io
14135-
resources:
14136-
- tokenreviews
14137-
verbs:
14138-
- create
1413914133
---
1414014134
apiVersion: rbac.authorization.k8s.io/v1
1414114135
kind: Role
@@ -14225,12 +14219,6 @@ rules:
1422514219
- daemonsets/finalizers
1422614220
verbs:
1422714221
- update
14228-
- apiGroups:
14229-
- authentication.k8s.io
14230-
resources:
14231-
- tokenreviews
14232-
verbs:
14233-
- create
1423414222
---
1423514223
apiVersion: rbac.authorization.k8s.io/v1
1423614224
kind: Role
@@ -14268,12 +14256,6 @@ rules:
1426814256
- daemonsets/finalizers
1426914257
verbs:
1427014258
- update
14271-
- apiGroups:
14272-
- authentication.k8s.io
14273-
resources:
14274-
- tokenreviews
14275-
verbs:
14276-
- create
1427714259
---
1427814260
apiVersion: rbac.authorization.k8s.io/v1
1427914261
kind: ClusterRole
@@ -14489,6 +14471,12 @@ rules:
1448914471
- serviceaccounts/token
1449014472
verbs:
1449114473
- create
14474+
- apiGroups:
14475+
- authentication.k8s.io
14476+
resources:
14477+
- tokenreviews
14478+
verbs:
14479+
- create
1449214480
---
1449314481
apiVersion: rbac.authorization.k8s.io/v1
1449414482
kind: ClusterRole
@@ -15248,6 +15236,12 @@ rules:
1524815236
- get
1524915237
- list
1525015238
- watch
15239+
- apiGroups:
15240+
- authentication.k8s.io
15241+
resources:
15242+
- tokenreviews
15243+
verbs:
15244+
- create
1525115245
---
1525215246
apiVersion: rbac.authorization.k8s.io/v1
1525315247
kind: ClusterRole
@@ -15299,6 +15293,12 @@ rules:
1529915293
- nodes
1530015294
verbs:
1530115295
- get
15296+
- apiGroups:
15297+
- authentication.k8s.io
15298+
resources:
15299+
- tokenreviews
15300+
verbs:
15301+
- create
1530215302
---
1530315303
apiVersion: rbac.authorization.k8s.io/v1
1530415304
kind: RoleBinding

deploy/charts/ceph-csi-operator/templates/cephfs-ctrlplugin-cr-rbac.yaml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -164,3 +164,9 @@ rules:
164164
- serviceaccounts/token
165165
verbs:
166166
- create
167+
- apiGroups:
168+
- authentication.k8s.io
169+
resources:
170+
- tokenreviews
171+
verbs:
172+
- create

deploy/charts/ceph-csi-operator/templates/cephfs-ctrlplugin-r-rbac.yaml

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -46,9 +46,3 @@ rules:
4646
- daemonsets/finalizers
4747
verbs:
4848
- update
49-
- apiGroups:
50-
- authentication.k8s.io
51-
resources:
52-
- tokenreviews
53-
verbs:
54-
- create

deploy/charts/ceph-csi-operator/templates/rbd-ctrlplugin-cr-rbac.yaml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -181,3 +181,9 @@ rules:
181181
- get
182182
- list
183183
- watch
184+
- apiGroups:
185+
- authentication.k8s.io
186+
resources:
187+
- tokenreviews
188+
verbs:
189+
- create

0 commit comments

Comments
 (0)