Skip to content

Commit 8b0b8fb

Browse files
andyzhangxandyzhangx
authored
Merge pull request #140 from ZeroMagic/separate-secret
chore: separate secret RBAC
2 parents 59f5567 + d738d3b commit 8b0b8fb

File tree

7 files changed

+58
-42
lines changed

7 files changed

+58
-42
lines changed

charts/latest/blobfuse-csi-driver/templates/rbac-csi-blobfuse-controller.yaml

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -140,4 +140,30 @@ roleRef:
140140
kind: ClusterRole
141141
name: blobfuse-external-snapshotter-role
142142
apiGroup: rbac.authorization.k8s.io
143+
144+
---
145+
kind: ClusterRole
146+
apiVersion: rbac.authorization.k8s.io/v1
147+
metadata:
148+
namespace: {{ .Release.Namespace }}
149+
name: csi-blobfuse-controller-secret-role
150+
rules:
151+
- apiGroups: [""]
152+
resources: ["secrets"]
153+
verbs: ["get", "list"]
154+
155+
---
156+
kind: ClusterRoleBinding
157+
apiVersion: rbac.authorization.k8s.io/v1
158+
metadata:
159+
name: csi-blobfuse-controller-secret-binding
160+
namespace: {{ .Release.Namespace }}
161+
subjects:
162+
- kind: ServiceAccount
163+
name: csi-blobfuse-controller-sa
164+
namespace: {{ .Release.Namespace }}
165+
roleRef:
166+
kind: ClusterRole
167+
name: csi-blobfuse-controller-secret-role
168+
apiGroup: rbac.authorization.k8s.io
143169
{{ end }}

charts/latest/blobfuse-csi-driver/templates/rbac-csi-blobfuse-secret.yaml renamed to charts/latest/blobfuse-csi-driver/templates/rbac-csi-blobfuse-node.yaml

Lines changed: 3 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ kind: ClusterRole
44
apiVersion: rbac.authorization.k8s.io/v1
55
metadata:
66
namespace: {{ .Release.Namespace }}
7-
name: csi-blobfuse-secret-role
7+
name: csi-blobfuse-node-secret-role
88
rules:
99
- apiGroups: [""]
1010
resources: ["secrets"]
@@ -14,17 +14,14 @@ rules:
1414
kind: ClusterRoleBinding
1515
apiVersion: rbac.authorization.k8s.io/v1
1616
metadata:
17-
name: csi-blobfuse-secret-binding
17+
name: csi-blobfuse-node-secret-binding
1818
namespace: {{ .Release.Namespace }}
1919
subjects:
20-
- kind: ServiceAccount
21-
name: csi-blobfuse-controller-sa
22-
namespace: {{ .Release.Namespace }}
2320
- kind: ServiceAccount
2421
name: csi-blobfuse-node-sa
2522
namespace: {{ .Release.Namespace }}
2623
roleRef:
2724
kind: ClusterRole
28-
name: csi-blobfuse-secret-role
25+
name: csi-blobfuse-node-secret-role
2926
apiGroup: rbac.authorization.k8s.io
3027
{{ end }}

deploy/install-driver.sh

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,6 @@ echo "Installing Blobfuse CSI driver, version: $ver ..."
3737
kubectl apply -f $repo/crd-csi-node-info.yaml
3838
kubectl apply -f $repo/rbac-csi-blobfuse-controller.yaml
3939
kubectl apply -f $repo/rbac-csi-blobfuse-node.yaml
40-
kubectl apply -f $repo/rbac-csi-blobfuse-secret.yaml
4140
kubectl apply -f $repo/csi-blobfuse-controller.yaml
4241
kubectl apply -f $repo/csi-blobfuse-driver.yaml
4342
kubectl apply -f $repo/csi-blobfuse-node.yaml

deploy/rbac-csi-blobfuse-controller.yaml

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -137,3 +137,29 @@ roleRef:
137137
kind: ClusterRole
138138
name: blobfuse-external-snapshotter-role
139139
apiGroup: rbac.authorization.k8s.io
140+
141+
---
142+
kind: ClusterRole
143+
apiVersion: rbac.authorization.k8s.io/v1
144+
metadata:
145+
name: csi-blobfuse-controller-secret-role
146+
namespace: kube-system
147+
rules:
148+
- apiGroups: [""]
149+
resources: ["secrets"]
150+
verbs: ["get", "list"]
151+
152+
---
153+
kind: ClusterRoleBinding
154+
apiVersion: rbac.authorization.k8s.io/v1
155+
metadata:
156+
name: csi-blobfuse-controller-secret-binding
157+
namespace: kube-system
158+
subjects:
159+
- kind: ServiceAccount
160+
name: csi-blobfuse-controller-sa
161+
namespace: kube-system
162+
roleRef:
163+
kind: ClusterRole
164+
name: csi-blobfuse-controller-secret-role
165+
apiGroup: rbac.authorization.k8s.io

deploy/rbac-csi-blobfuse-node.yaml

Lines changed: 3 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ metadata:
99
kind: ClusterRole
1010
apiVersion: rbac.authorization.k8s.io/v1
1111
metadata:
12-
name: csi-blobfuse-secret-role
12+
name: csi-blobfuse-node-secret-role
1313
namespace: kube-system
1414
rules:
1515
- apiGroups: [""]
@@ -20,16 +20,13 @@ rules:
2020
kind: ClusterRoleBinding
2121
apiVersion: rbac.authorization.k8s.io/v1
2222
metadata:
23-
name: csi-blobfuse-secret-binding
23+
name: csi-blobfuse-node-secret-binding
2424
namespace: kube-system
2525
subjects:
26-
- kind: ServiceAccount
27-
name: csi-blobfuse-controller-sa
28-
namespace: kube-system
2926
- kind: ServiceAccount
3027
name: csi-blobfuse-node-sa
3128
namespace: kube-system
3229
roleRef:
3330
kind: ClusterRole
34-
name: csi-blobfuse-secret-role
31+
name: csi-blobfuse-node-secret-role
3532
apiGroup: rbac.authorization.k8s.io

deploy/rbac-csi-blobfuse-secret.yaml

Lines changed: 0 additions & 28 deletions
This file was deleted.

deploy/uninstall-driver.sh

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -40,5 +40,4 @@ kubectl delete -f $repo/csi-blobfuse-node.yaml --ignore-not-found
4040
kubectl delete -f $repo/crd-csi-node-info.yaml --ignore-not-found
4141
kubectl delete -f $repo/rbac-csi-blobfuse-controller.yaml --ignore-not-found
4242
kubectl delete -f $repo/rbac-csi-blobfuse-node.yaml --ignore-not-found
43-
kubectl delete -f $repo/rbac-csi-blobfuse-secret.yaml --ignore-not-found
4443
echo 'Uninstalled Blobfuse CSI driver successfully.'

0 commit comments

Comments
 (0)