Skip to content

Commit cb171c5

Browse files
prydieprydie
committed
Add RBAC
Courtesy of @jhorwit2
1 parent de58ba5 commit cb171c5

File tree

1 file changed

+54
-32
lines changed

1 file changed

+54
-32
lines changed

manifests/oci-cloud-controller-manager-rbac.yaml

Lines changed: 54 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -1,54 +1,76 @@
11
---
22
apiVersion: rbac.authorization.k8s.io/v1beta1
3-
kind: Role
3+
kind: ClusterRole
44
metadata:
5-
name: system::leader-locking-cloud-controller-manager
6-
namespace: kube-system
5+
name: system:cloud-controller-manager
6+
labels:
7+
kubernetes.io/cluster-service: "true"
78
rules:
89
- apiGroups:
910
- ""
1011
resources:
11-
- configmaps
12-
- endpoints
12+
- nodes
1313
verbs:
14-
- create
14+
- '*'
15+
- apiGroups:
16+
- ""
17+
resources:
18+
- services
19+
verbs:
20+
- list
1521
- watch
22+
- patch
23+
24+
- apiGroups:
25+
- ""
26+
resources:
27+
- services/status
28+
verbs:
29+
- update
30+
31+
- apiGroups:
32+
- ""
33+
resources:
34+
- events
35+
verbs:
36+
- create
37+
- patch
38+
- update
39+
40+
# For leader election
1641
- apiGroups:
1742
- ""
18-
resourceNames:
19-
- cloud-controller-manager
2043
resources:
21-
- configmaps
2244
- endpoints
2345
verbs:
46+
- create
2447
- get
48+
- list
49+
- watch
2550
- update
26-
---
27-
apiVersion: rbac.authorization.k8s.io/v1beta1
28-
kind: RoleBinding
29-
metadata:
30-
name: system::leader-locking-cloud-controller-manager
31-
namespace: kube-system
32-
roleRef:
33-
apiGroup: rbac.authorization.k8s.io
34-
kind: Role
35-
name: system::leader-locking-cloud-controller-manager
36-
subjects:
37-
- kind: ServiceAccount
38-
name: cloud-controller-manager
39-
namespace: kube-system
40-
---
41-
apiVersion: rbac.authorization.k8s.io/v1beta1
42-
kind: ClusterRole
43-
metadata:
44-
name: oci-cloud-controller-manager
45-
rules:
4651
- apiGroups:
4752
- ""
4853
resources:
49-
- "*"
54+
- serviceaccounts
5055
verbs:
51-
- "*"
56+
- create
57+
- apiGroups:
58+
- ""
59+
resources:
60+
- secrets
61+
verbs:
62+
- get
63+
- list
64+
65+
# For the PVL
66+
- apiGroups:
67+
- ""
68+
resources:
69+
- persistentvolumes
70+
verbs:
71+
- list
72+
- watch
73+
- patch
5274
---
5375
kind: ClusterRoleBinding
5476
apiVersion: rbac.authorization.k8s.io/v1beta1
@@ -57,7 +79,7 @@ metadata:
5779
roleRef:
5880
apiGroup: rbac.authorization.k8s.io
5981
kind: ClusterRole
60-
name: oci-cloud-controller-manager
82+
name: system:cloud-controller-manager
6183
subjects:
6284
- kind: ServiceAccount
6385
name: cloud-controller-manager

0 commit comments

Comments
 (0)