{{ if .Values.rbac.create }}
# This role is used to allow pv-resizer to get namespaces and patch PVCs
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ .Release.Name }}-role
labels:
{{- include "pv-resizer.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources:
- namespaces
- pods
- nodes
- nodes/proxy
verbs: ["get", "list"]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "patch", "update"]
- apiGroups: ["apps"]
- deployments
- deployments/scale
- statefulsets
- statefulsets/scale
---
# We bind the role to the pv-resizer ServiceAccount
kind: ClusterRoleBinding
name: {{ .Release.Name }}-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: {{ include "pv-resizer.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{ end }}