Merge pull request #215 from bipuladh/fix-rbac

Fix RBAC permissions for CSI addons security enhancements

Author: Madhu-1

config/csi-rbac/cephfs_ctrlplugin_cluster_role.yaml

@@ -63,3 +63,6 @@ rules:
   - apiGroups: [""]
     resources: ["serviceaccounts/token"]
     verbs: ["create"]
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]

config/csi-rbac/cephfs_ctrlplugin_role.yaml

@@ -18,6 +18,3 @@ rules:
   - apiGroups: ["apps"]
     resources: ["deployments/finalizers", "daemonsets/finalizers"]
     verbs: ["update"]
-  - apiGroups: ["authentication.k8s.io"]
-    resources: ["tokenreviews"]
-    verbs: ["create"]

config/csi-rbac/rbd_ctrlplugin_cluster_role.yaml

@@ -69,3 +69,6 @@ rules:
   - apiGroups: ["replication.storage.openshift.io"]
     resources: ["volumegroupreplicationclasses"]
     verbs: ["get", "list", "watch"]
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]

config/csi-rbac/rbd_ctrlplugin_role.yaml

@@ -18,6 +18,3 @@ rules:
   - apiGroups: ["apps"]
     resources: ["deployments/finalizers", "daemonsets/finalizers"]
     verbs: ["update"]
-  - apiGroups: ["authentication.k8s.io"]
-    resources: ["tokenreviews"]
-    verbs: ["create"]

config/csi-rbac/rbd_nodeplugin_cluster_role.yaml

@@ -24,3 +24,6 @@ rules:
   - apiGroups: [""]
     resources: ["nodes"]
     verbs: ["get"]
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]

config/csi-rbac/rbd_nodeplugin_role.yaml

@@ -15,6 +15,3 @@ rules:
   - apiGroups: ["apps"]
     resources: ["deployments/finalizers", "daemonsets/finalizers"]
     verbs: ["update"]
-  - apiGroups: ["authentication.k8s.io"]
-    resources: ["tokenreviews"]
-    verbs: ["create"]

deploy/all-in-one/install.yaml

@@ -14130,12 +14130,6 @@ rules:
   - daemonsets/finalizers
   verbs:
   - update
-- apiGroups:
-  - authentication.k8s.io
-  resources:
-  - tokenreviews
-  verbs:
-  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -14225,12 +14219,6 @@ rules:
   - daemonsets/finalizers
   verbs:
   - update
-- apiGroups:
-  - authentication.k8s.io
-  resources:
-  - tokenreviews
-  verbs:
-  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -14268,12 +14256,6 @@ rules:
   - daemonsets/finalizers
   verbs:
   - update
-- apiGroups:
-  - authentication.k8s.io
-  resources:
-  - tokenreviews
-  verbs:
-  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -14489,6 +14471,12 @@ rules:
   - serviceaccounts/token
   verbs:
   - create
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -15248,6 +15236,12 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -15299,6 +15293,12 @@ rules:
   - nodes
   verbs:
   - get
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

deploy/charts/ceph-csi-operator/templates/cephfs-ctrlplugin-cr-rbac.yaml

@@ -164,3 +164,9 @@ rules:
   - serviceaccounts/token
   verbs:
   - create
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create

deploy/charts/ceph-csi-operator/templates/cephfs-ctrlplugin-r-rbac.yaml

@@ -46,9 +46,3 @@ rules:
   - daemonsets/finalizers
   verbs:
   - update
-- apiGroups:
-  - authentication.k8s.io
-  resources:
-  - tokenreviews
-  verbs:
-  - create

deploy/charts/ceph-csi-operator/templates/rbd-ctrlplugin-cr-rbac.yaml

@@ -181,3 +181,9 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create