{{ if .Values.rbac.create }} kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rook-nfs-operator roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: rook-nfs-operator subjects: - kind: ServiceAccount name: {{ include "rook-nfs-operator.serviceAccountName" . }} namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: rook-nfs-operator rules: - apiGroups: - "" resources: - configmaps verbs: - create - get - list - patch - update - watch - apiGroups: - "" resources: - events verbs: - create - get - list - patch - update - watch - apiGroups: - "" resources: - pods verbs: - list - get - watch - create - apiGroups: - "" resources: - services verbs: - create - get - list - patch - update - watch - apiGroups: - apps resources: - statefulsets verbs: - create - get - list - patch - update - watch - apiGroups: - nfs.rook.io resources: - nfsservers verbs: - create - delete - get - list - patch - update - watch - apiGroups: - nfs.rook.io resources: - nfsservers/status - nfsservers/finalizers verbs: - get - patch - update --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rook-nfs-provisioner-runner rules: - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "create", "delete"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "list", "watch", "update"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["events"] verbs: ["create", "update", "patch"] - apiGroups: [""] resources: ["services", "endpoints"] verbs: ["get"] - apiGroups: ["policy"] resources: ["podsecuritypolicies"] resourceNames: ["rook-nfs-policy"] verbs: ["use"] - apiGroups: [""] resources: ["endpoints"] verbs: ["get", "list", "watch", "create", "update", "patch"] - apiGroups: - nfs.rook.io resources: - "*" verbs: - "*" {{ end }}