Merge pull request #710 from shawn-hurley/backport=706

k8s-ci-robot · web-flow · commit db21674bb42d · 2022-05-20T12:03:13.000-07:00
Backport-706 Adding webhook RBAC to enable validation of snapshotclasses
diff --git a/deploy/kubernetes/webhook-example/README.md b/deploy/kubernetes/webhook-example/README.md
@@ -56,7 +56,7 @@ These commands should be run from the top level directory.
 
 3. Change the namespace in the generated `admission-configuration.yaml` file. Change the namespace in the service and deployment in the `webhook.yaml` file.
 
-4. Create the deployment, service and admission configuration objects on the cluster.
+4. Create the deployment, service, RBAC, and admission configuration objects on the cluster.
 
     ```bash
     kubectl apply -f ./deploy/kubernetes/webhook-example
diff --git a/deploy/kubernetes/webhook-example/rbac-snapshot-webhook.yaml b/deploy/kubernetes/webhook-example/rbac-snapshot-webhook.yaml
@@ -0,0 +1,34 @@
+# RBAC file for the snapshot webhook.
+#
+# The snapshot webhook implements the validation and admission for CSI snapshot functionality.
+# It should be installed as part of the base Kubernetes distribution in an appropriate
+# namespace for components implementing base system functionality. For installing with
+# Vanilla Kubernetes, kube-system makes sense for the namespace.
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: snapshot-webhook
+  namespace: default # NOTE: change the namespace
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: snapshot-webhook-runner
+rules:
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshotclasses"]
+    verbs: ["get", "list", "watch"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: snapshot-webhook-role
+subjects:
+  - kind: ServiceAccount
+    name: snapshot-webhook
+    namespace: default # NOTE: change the namespace
+roleRef:
+  kind: ClusterRole
+  name: snapshot-webhook-runner
+  apiGroup: rbac.authorization.k8s.io
diff --git a/deploy/kubernetes/webhook-example/webhook.yaml b/deploy/kubernetes/webhook-example/webhook.yaml
@@ -15,6 +15,7 @@ spec:
       labels:
         app: snapshot-validation
     spec:
+      serviceAccountName: snapshot-webhook
       containers:
       - name: snapshot-validation
         image: k8s.gcr.io/sig-storage/snapshot-validation-webhook:v5.0.1 # change the image if you wish to use your own custom validation server image
