diff options
| author |   Dileep Ranganathan <dileep.ranganathan@intel.com> | 2019-01-25 02:44:36 -0800 |
|---|---|---|
| committer | Dileep Ranganathan <dileep.ranganathan@intel.com> | 2019-01-25 02:49:50 -0800 |
| commit | c942e55ceea4ce28e84168bb672a83572d0a6313 (patch) | |
| tree | 8ef8e93a9d4bbd70c4076338ca5ce2be98990268 /vnfs/DAaaS/rook-ceph/templates/clusterrole.yaml | |
| parent | 1b97e2665be03fc518eb11de0863c42b2280149e (diff) | |
Helm charts for Distributed Edge Analytics.
Initial Helm charts for CollectD, Prometheus Operator,
Kafka Strimzi operator, Rook Ceph Operator.
Change-Id: I7323029bd0bf1e4b39aac329fc567f705a59bc0c
Issue-ID: ONAPARC-366
Signed-off-by: Dileep Ranganathan <dileep.ranganathan@intel.com>
Diffstat (limited to 'vnfs/DAaaS/rook-ceph/templates/clusterrole.yaml')
| -rw-r--r-- | vnfs/DAaaS/rook-ceph/templates/clusterrole.yaml | 165 |
1 files changed, 165 insertions, 0 deletions
diff --git a/vnfs/DAaaS/rook-ceph/templates/clusterrole.yaml b/vnfs/DAaaS/rook-ceph/templates/clusterrole.yaml new file mode 100644 index 00000000..58a24d47 --- /dev/null +++ b/vnfs/DAaaS/rook-ceph/templates/clusterrole.yaml @@ -0,0 +1,165 @@ +{{- if .Values.rbacEnable }} +# The cluster role for managing all the cluster-specific resources in a namespace +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: rook-ceph-cluster-mgmt + labels: + operator: rook + storage-backend: ceph +rules: +- apiGroups: + - "" + resources: + - secrets + - pods + - pods/log + - services + - configmaps + verbs: + - get + - list + - watch + - patch + - create + - update + - delete +- apiGroups: + - extensions + resources: + - deployments + - daemonsets + - replicasets + verbs: + - get + - list + - watch + - create + - update + - delete +--- +# The cluster role for managing the Rook CRDs +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: rook-ceph-global + labels: + operator: rook + storage-backend: ceph +rules: +- apiGroups: + - "" + resources: + # Pod access is needed for fencing + - pods + # Node access is needed for determining nodes where mons should run + - nodes + - nodes/proxy + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + # PVs and PVCs are managed by the Rook provisioner + - persistentvolumes + - persistentvolumeclaims + verbs: + - get + - list + - watch + - patch + - create + - update + - delete +- apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch +- apiGroups: + - batch + resources: + - jobs + verbs: + - get + - list + - watch + - create + - update + - delete +- apiGroups: + - ceph.rook.io + resources: + - "*" + verbs: + - "*" +- apiGroups: + - rook.io + resources: + - "*" + verbs: + - "*" +--- +# Aspects of ceph-mgr that require cluster-wide access +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: rook-ceph-mgr-cluster + labels: + operator: rook + storage-backend: ceph +rules: +- apiGroups: + - "" + resources: + - configmaps + - nodes + - nodes/proxy + verbs: + - get + - list + - watch +{{- if ((.Values.agent) and .Values.agent.mountSecurityMode) and ne .Values.agent.mountSecurityMode "Any" }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: rook-ceph-agent-mount + labels: + operator: rook + storage-backend: ceph +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get +{{- end }} +{{- if .Values.pspEnable }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: rook-ceph-system-psp-user + labels: + operator: rook + storage-backend: ceph + chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" +rules: +- apiGroups: + - extensions + resources: + - podsecuritypolicies + resourceNames: + - 00-rook-ceph-operator + verbs: + - use +{{- end }} +{{- end }} |