{{ if .Values.rbac.create }}
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rook-nfs-operator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
subjects:
- kind: ServiceAccount
name: {{ include "rook-nfs-operator.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
---
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- get
- list
- patch
- update
- watch
- events
- pods
- services
- apps
- statefulsets
- nfs.rook.io
- nfsservers
- delete
- nfsservers/status
- nfsservers/finalizers
name: rook-nfs-provisioner-runner
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get", "list", "watch", "create", "delete"]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
resources: ["events"]
verbs: ["create", "update", "patch"]
resources: ["services", "endpoints"]
verbs: ["get"]
- apiGroups: ["policy"]
resources: ["podsecuritypolicies"]
resourceNames: ["rook-nfs-policy"]
verbs: ["use"]
resources: ["endpoints"]
verbs: ["get", "list", "watch", "create", "update", "patch"]
- "*"
{{ end }}