#################################################################################################### # Create the common resources that are necessary to start the operator and the ceph cluster. # These resources *must* be created before the operator.yaml and cluster.yaml or their variants. # The samples all assume that a single operator will manage a single cluster crd in the same # "rook-ceph" namespace. #################################################################################################### # Namespace where the operator and other rook resources are created apiVersion: v1 kind: Namespace metadata: name: rook-ceph # namespace:cluster --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cephfs-csi-nodeplugin rules: - apiGroups: [""] resources: ["nodes"] verbs: ["get"] - apiGroups: [""] resources: ["secrets"] verbs: ["get"] - apiGroups: [""] resources: ["configmaps"] verbs: ["get"] - apiGroups: [""] resources: ["serviceaccounts"] verbs: ["get"] - apiGroups: [""] resources: ["serviceaccounts/token"] verbs: ["create"] --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cephfs-external-provisioner-runner rules: - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list"] - apiGroups: [""] resources: ["configmaps"] verbs: ["get"] - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["csinodes"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "create", "update", "delete", "patch"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "list", "watch", "patch", "update"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["events"] verbs: ["list", "watch", "create", "update", "patch"] - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments"] verbs: ["get", "list", "watch", "patch"] - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments/status"] verbs: ["patch"] - apiGroups: [""] resources: ["persistentvolumeclaims/status"] verbs: ["patch"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshots"] verbs: ["get", "list", "watch", "update", "patch", "create"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotclasses"] verbs: ["get", "list", "watch"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotcontents"] verbs: ["get", "list", "watch", "patch", "update", "create"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotcontents/status"] verbs: ["update", "patch"] - apiGroups: ["groupsnapshot.storage.k8s.io"] resources: ["volumegroupsnapshotclasses"] verbs: ["get", "list", "watch"] - apiGroups: ["groupsnapshot.storage.k8s.io"] resources: ["volumegroupsnapshotcontents"] verbs: ["get", "list", "watch", "update", "patch"] - apiGroups: ["groupsnapshot.storage.k8s.io"] resources: ["volumegroupsnapshotcontents/status"] verbs: ["update", "patch"] - apiGroups: [""] resources: ["serviceaccounts"] verbs: ["get"] - apiGroups: [""] resources: ["serviceaccounts/token"] verbs: ["create"] --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: objectstorage-provisioner-role labels: app.kubernetes.io/part-of: container-object-storage-interface app.kubernetes.io/component: driver-ceph app.kubernetes.io/name: cosi-driver-ceph rules: - apiGroups: ["objectstorage.k8s.io"] resources: ["buckets", "bucketaccesses", "bucketclaims", "bucketaccessclasses", "buckets/status", "bucketaccesses/status", "bucketclaims/status", "bucketaccessclasses/status"] verbs: ["get", "list", "watch", "update", "create", "delete"] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "watch", "list", "delete", "update", "create"] - apiGroups: [""] resources: ["secrets", "events"] verbs: ["get", "delete", "update", "create"] --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rbd-csi-nodeplugin labels: operator: rook storage-backend: ceph app.kubernetes.io/part-of: rook-ceph-operator rules: - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list"] - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list"] - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments"] verbs: ["get", "list"] - apiGroups: [""] resources: ["configmaps"] verbs: ["get"] - apiGroups: [""] resources: ["serviceaccounts"] verbs: ["get"] - apiGroups: [""] resources: ["serviceaccounts/token"] verbs: ["create"] - apiGroups: [""] resources: ["nodes"] verbs: ["get"] --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rbd-external-provisioner-runner rules: - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "create", "update", "delete", "patch"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "list", "watch", "update"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["events"] verbs: ["list", "watch", "create", "update", "patch"] - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments"] verbs: ["get", "list", "watch", "patch"] - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments/status"] verbs: ["patch"] - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["csinodes"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["persistentvolumeclaims/status"] verbs: ["patch"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshots"] verbs: ["get", "list", "watch", "update", "patch", "create"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotclasses"] verbs: ["get", "list", "watch"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotcontents"] verbs: ["get", "list", "watch", "patch", "update", "create"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotcontents/status"] verbs: ["update", "patch"] - apiGroups: ["groupsnapshot.storage.k8s.io"] resources: ["volumegroupsnapshotclasses"] verbs: ["get", "list", "watch"] - apiGroups: ["groupsnapshot.storage.k8s.io"] resources: ["volumegroupsnapshotcontents"] verbs: ["get", "list", "watch", "update", "patch"] - apiGroups: ["groupsnapshot.storage.k8s.io"] resources: ["volumegroupsnapshotcontents/status"] verbs: ["update", "patch"] - apiGroups: [""] resources: ["configmaps"] verbs: ["get"] - apiGroups: [""] resources: ["serviceaccounts"] verbs: ["get"] - apiGroups: [""] resources: ["serviceaccounts/token"] verbs: ["create"] - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list", "watch"] --- # The cluster role for managing all the cluster-specific resources in a namespace apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: rook-ceph-cluster-mgmt labels: operator: rook storage-backend: ceph app.kubernetes.io/part-of: rook-ceph-operator rules: - apiGroups: - "" - apps - extensions resources: - secrets - pods - pods/log - services - configmaps - deployments - daemonsets verbs: - get - list - watch - patch - create - update - delete --- # The cluster role for managing the Rook CRDs apiVersion: rbac.authorization.k8s.io/v1 # Rook watches for its CRDs in all namespaces, so this should be a cluster-scoped role unless the # operator config `ROOK_CURRENT_NAMESPACE_ONLY=true`. kind: ClusterRole metadata: name: rook-ceph-global labels: operator: rook storage-backend: ceph app.kubernetes.io/part-of: rook-ceph-operator rules: - apiGroups: - "" resources: # Pod access is needed for fencing - pods # Node access is needed for determining nodes where mons should run - nodes - nodes/proxy # Rook watches secrets which it uses to configure access to external resources. # e.g., external Ceph cluster or object store - secrets # Rook watches for changes to the rook-operator-config configmap - configmaps verbs: - get - list - watch - apiGroups: - "" resources: # Rook creates events for its custom resources - events # Rook creates PVs and PVCs for OSDs managed by the Rook provisioner - persistentvolumes - persistentvolumeclaims # Rook creates endpoints for mgr and object store access - endpoints - services verbs: - get - list - watch - patch - create - update - delete - apiGroups: - storage.k8s.io resources: - storageclasses verbs: - get - list - watch - apiGroups: - batch resources: - jobs - cronjobs verbs: - get - list - watch - create - update - delete - deletecollection # The Rook operator must be able to watch all ceph.rook.io resources to reconcile them. - apiGroups: ["ceph.rook.io"] resources: - cephclients - cephclusters - cephblockpools - cephfilesystems - cephnfses - cephobjectstores - cephobjectstoreusers - cephobjectrealms - cephobjectzonegroups - cephobjectzones - cephbuckettopics - cephbucketnotifications - cephrbdmirrors - cephfilesystemmirrors - cephfilesystemsubvolumegroups - cephblockpoolradosnamespaces - cephcosidrivers verbs: - get - list - watch # Ideally the update permission is not required, but Rook needs it to add finalizers to resources. - update # Rook must have update access to status subresources for its custom resources. - apiGroups: ["ceph.rook.io"] resources: - cephclients/status - cephclusters/status - cephblockpools/status - cephfilesystems/status - cephnfses/status - cephobjectstores/status - cephobjectstoreusers/status - cephobjectrealms/status - cephobjectzonegroups/status - cephobjectzones/status - cephbuckettopics/status - cephbucketnotifications/status - cephrbdmirrors/status - cephfilesystemmirrors/status - cephfilesystemsubvolumegroups/status - cephblockpoolradosnamespaces/status verbs: ["update"] # The "*/finalizers" permission may need to be strictly given for K8s clusters where # OwnerReferencesPermissionEnforcement is enabled so that Rook can set blockOwnerDeletion on # resources owned by Rook CRs (e.g., a Secret owned by an OSD Deployment). See more: # https://kubernetes.io/docs/reference/access-authn-authz/_print/#ownerreferencespermissionenforcement - apiGroups: ["ceph.rook.io"] resources: - cephclients/finalizers - cephclusters/finalizers - cephblockpools/finalizers - cephfilesystems/finalizers - cephnfses/finalizers - cephobjectstores/finalizers - cephobjectstoreusers/finalizers - cephobjectrealms/finalizers - cephobjectzonegroups/finalizers - cephobjectzones/finalizers - cephbuckettopics/finalizers - cephbucketnotifications/finalizers - cephrbdmirrors/finalizers - cephfilesystemmirrors/finalizers - cephfilesystemsubvolumegroups/finalizers - cephblockpoolradosnamespaces/finalizers verbs: ["update"] - apiGroups: - policy - apps - extensions resources: # This is for the clusterdisruption controller - poddisruptionbudgets # This is for both clusterdisruption and nodedrain controllers - deployments - replicasets verbs: - get - list - watch - create - update - delete - deletecollection - apiGroups: - apps resources: # This is to add osd deployment owner ref on key rotation # cron jobs. - deployments/finalizers verbs: - update - apiGroups: - healthchecking.openshift.io resources: - machinedisruptionbudgets verbs: - get - list - watch - create - update - delete - apiGroups: - machine.openshift.io resources: - machines verbs: - get - list - watch - create - update - delete - apiGroups: - storage.k8s.io resources: - csidrivers verbs: - create - delete - get - update - apiGroups: - k8s.cni.cncf.io resources: - network-attachment-definitions verbs: - get --- # Aspects of ceph-mgr that require cluster-wide access kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rook-ceph-mgr-cluster labels: operator: rook storage-backend: ceph app.kubernetes.io/part-of: rook-ceph-operator rules: - apiGroups: - "" resources: - configmaps - nodes - nodes/proxy - persistentvolumes verbs: - get - list - watch - apiGroups: - "" resources: - events verbs: - create - patch - list - get - watch - apiGroups: - storage.k8s.io resources: - storageclasses verbs: - get - list - watch --- # Aspects of ceph-mgr that require access to the system namespace kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rook-ceph-mgr-system rules: - apiGroups: - "" resources: - configmaps verbs: - get - list - watch --- # Used for provisioning ObjectBuckets (OBs) in response to ObjectBucketClaims (OBCs). # Note: Rook runs a copy of the lib-bucket-provisioner's OBC controller. # OBCs can be created in any Kubernetes namespace, so this must be a cluster-scoped role. kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rook-ceph-object-bucket labels: operator: rook storage-backend: ceph app.kubernetes.io/part-of: rook-ceph-operator rules: - apiGroups: [""] resources: ["secrets", "configmaps"] verbs: # OBC controller creates secrets and configmaps containing information for users about how to # connect to object buckets. It deletes them when an OBC is deleted. - get - create - update - delete - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: # OBC controller gets parameters from the OBC's storageclass # Rook gets additional parameters from the OBC's storageclass - get - apiGroups: ["objectbucket.io"] resources: ["objectbucketclaims"] verbs: # OBC controller needs to list/watch OBCs and get latest version of a reconciled OBC - list - watch - get # Ideally, update should not be needed, but the OBC controller updates the OBC with bucket # information outside of the status subresource - update # OBC controller does not delete OBCs; users do this - apiGroups: ["objectbucket.io"] resources: ["objectbuckets"] verbs: # OBC controller needs to list/watch OBs and get latest version of a reconciled OB - list - watch - get # OBC controller creates an OB when an OBC's bucket has been provisioned by Ceph, updates them # when an OBC is updated, and deletes them when the OBC is de-provisioned. - create - update - delete - apiGroups: ["objectbucket.io"] resources: ["objectbucketclaims/status", "objectbuckets/status"] verbs: # OBC controller updates OBC and OB statuses - update - apiGroups: ["objectbucket.io"] # This does not strictly allow the OBC/OB controllers to update finalizers. That is handled by # the direct "update" permissions above. Instead, this allows Rook's controller to create # resources which are owned by OBs/OBCs and where blockOwnerDeletion is set. resources: ["objectbucketclaims/finalizers", "objectbuckets/finalizers"] verbs: - update --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rook-ceph-osd rules: - apiGroups: - "" resources: - nodes verbs: - get - list --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rook-ceph-system labels: operator: rook storage-backend: ceph app.kubernetes.io/part-of: rook-ceph-operator rules: # Most resources are represented by a string representation of their name, such as "pods", just as it appears in the URL for the relevant API endpoint. # However, some Kubernetes APIs involve a "subresource", such as the logs for a pod. [...] # To represent this in an RBAC role, use a slash to delimit the resource and subresource. # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources - apiGroups: [""] resources: ["pods", "pods/log"] verbs: ["get", "list"] - apiGroups: [""] resources: ["pods/exec"] verbs: ["create"] - apiGroups: ["csiaddons.openshift.io"] resources: ["networkfences"] verbs: ["create", "get", "update", "delete", "watch", "list", "deletecollection"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get"] - apiGroups: ["csi.ceph.io"] resources: ["cephconnections"] verbs: ["create", "delete", "get", "list", "update", "watch"] - apiGroups: ["csi.ceph.io"] resources: ["clientprofiles"] verbs: ["create", "delete", "get", "list", "update", "watch"] - apiGroups: ["csi.ceph.io"] resources: ["operatorconfigs"] verbs: ["create", "delete", "get", "list", "update", "watch"] - apiGroups: ["csi.ceph.io"] resources: ["drivers"] verbs: ["create", "delete", "get", "list", "update", "watch"] --- # This is required by operator-sdk to map the cluster/clusterrolebindings with SA # otherwise operator-sdk will create a individual file for these. kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cephfs-csi-nodeplugin-role subjects: - kind: ServiceAccount name: rook-csi-cephfs-plugin-sa namespace: rook-ceph # namespace:operator roleRef: kind: ClusterRole name: cephfs-csi-nodeplugin apiGroup: rbac.authorization.k8s.io --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cephfs-csi-provisioner-role subjects: - kind: ServiceAccount name: rook-csi-cephfs-provisioner-sa namespace: rook-ceph # namespace:operator roleRef: kind: ClusterRole name: cephfs-external-provisioner-runner apiGroup: rbac.authorization.k8s.io --- # RBAC for ceph cosi driver service account kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: objectstorage-provisioner-role-binding labels: app.kubernetes.io/part-of: container-object-storage-interface app.kubernetes.io/component: driver-ceph app.kubernetes.io/name: cosi-driver-ceph subjects: - kind: ServiceAccount name: objectstorage-provisioner namespace: rook-ceph # namespace:operator roleRef: kind: ClusterRole name: objectstorage-provisioner-role apiGroup: rbac.authorization.k8s.io --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rbd-csi-nodeplugin subjects: - kind: ServiceAccount name: rook-csi-rbd-plugin-sa namespace: rook-ceph # namespace:operator roleRef: kind: ClusterRole name: rbd-csi-nodeplugin apiGroup: rbac.authorization.k8s.io --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rbd-csi-provisioner-role subjects: - kind: ServiceAccount name: rook-csi-rbd-provisioner-sa namespace: rook-ceph # namespace:operator roleRef: kind: ClusterRole name: rbd-external-provisioner-runner apiGroup: rbac.authorization.k8s.io --- # Grant the rook system daemons cluster-wide access to manage the Rook CRDs, PVCs, and storage classes kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rook-ceph-global labels: operator: rook storage-backend: ceph app.kubernetes.io/part-of: rook-ceph-operator roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: rook-ceph-global subjects: - kind: ServiceAccount name: rook-ceph-system namespace: rook-ceph # namespace:operator --- # Allow the ceph mgr to access cluster-wide resources necessary for the mgr modules kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rook-ceph-mgr-cluster roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: rook-ceph-mgr-cluster subjects: - kind: ServiceAccount name: rook-ceph-mgr namespace: rook-ceph # namespace:cluster --- kind: ClusterRoleBinding # Give Rook-Ceph Operator permissions to provision ObjectBuckets in response to ObjectBucketClaims. apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rook-ceph-object-bucket roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: rook-ceph-object-bucket subjects: - kind: ServiceAccount name: rook-ceph-system namespace: rook-ceph # namespace:operator --- # Allow the ceph osd to access cluster-wide resources necessary for determining their topology location kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rook-ceph-osd roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: rook-ceph-osd subjects: - kind: ServiceAccount name: rook-ceph-osd namespace: rook-ceph # namespace:cluster --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rook-ceph-system labels: operator: rook storage-backend: ceph app.kubernetes.io/part-of: rook-ceph-operator roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: rook-ceph-system subjects: - kind: ServiceAccount name: rook-ceph-system namespace: rook-ceph # namespace:operator --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cephfs-external-provisioner-cfg namespace: rook-ceph # namespace:operator rules: - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "watch", "list", "delete", "update", "create"] - apiGroups: ["csiaddons.openshift.io"] resources: ["csiaddonsnodes"] verbs: ["create"] --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rbd-csi-nodeplugin namespace: rook-ceph # namespace:operator rules: - apiGroups: ["csiaddons.openshift.io"] resources: ["csiaddonsnodes"] verbs: ["create"] --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rbd-external-provisioner-cfg namespace: rook-ceph # namespace:operator rules: - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "watch", "list", "delete", "update", "create"] - apiGroups: ["csiaddons.openshift.io"] resources: ["csiaddonsnodes"] verbs: ["create"] --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rook-ceph-cmd-reporter namespace: rook-ceph # namespace:cluster rules: - apiGroups: - "" resources: - pods - configmaps verbs: - get - list - watch - create - update - delete --- # Aspects of ceph-mgr that operate within the cluster's namespace kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rook-ceph-mgr namespace: rook-ceph # namespace:cluster rules: - apiGroups: - "" resources: - pods - services - pods/log verbs: - get - list - watch - create - update - delete - apiGroups: - batch resources: - jobs verbs: - get - list - watch - create - update - delete - apiGroups: - ceph.rook.io resources: - cephclients - cephclusters - cephblockpools - cephfilesystems - cephnfses - cephobjectstores - cephobjectstoreusers - cephobjectrealms - cephobjectzonegroups - cephobjectzones - cephbuckettopics - cephbucketnotifications - cephrbdmirrors - cephfilesystemmirrors - cephfilesystemsubvolumegroups - cephblockpoolradosnamespaces - cephcosidrivers verbs: - get - list - watch - create - update - delete - patch - apiGroups: - apps resources: - deployments/scale - deployments verbs: - patch - delete - apiGroups: - '' resources: - persistentvolumeclaims verbs: - delete --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rook-ceph-osd namespace: rook-ceph # namespace:cluster rules: # this is needed for rook's "key-management" CLI to fetch the vault token from the secret when # validating the connection details and for key rotation operations. - apiGroups: [""] resources: ["secrets"] verbs: ["get", "update"] - apiGroups: [""] resources: ["configmaps"] verbs: ["get", "list", "watch", "create", "update", "delete"] - apiGroups: ["ceph.rook.io"] resources: ["cephclusters", "cephclusters/finalizers"] verbs: ["get", "list", "create", "update", "delete"] --- # Aspects of ceph osd purge job that require access to the cluster namespace kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rook-ceph-purge-osd namespace: rook-ceph # namespace:cluster rules: - apiGroups: [""] resources: ["configmaps"] verbs: ["get"] - apiGroups: ["apps"] resources: ["deployments"] verbs: ["get", "delete"] - apiGroups: ["batch"] resources: ["jobs"] verbs: ["get", "list", "delete"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "update", "delete", "list"] --- # Allow the operator to manage resources in its own namespace apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: rook-ceph-system namespace: rook-ceph # namespace:operator labels: operator: rook storage-backend: ceph app.kubernetes.io/part-of: rook-ceph-operator rules: - apiGroups: - "" resources: - pods - configmaps - services verbs: - get - list - watch - patch - create - update - delete - apiGroups: - apps - extensions resources: - daemonsets - statefulsets - deployments verbs: - get - list - watch - create - update - delete - deletecollection - apiGroups: - batch resources: - cronjobs verbs: - delete - apiGroups: - cert-manager.io resources: - certificates - issuers verbs: - get - create - delete - apiGroups: - multicluster.x-k8s.io resources: - serviceexports verbs: - get - create --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cephfs-csi-provisioner-role-cfg namespace: rook-ceph # namespace:operator subjects: - kind: ServiceAccount name: rook-csi-cephfs-provisioner-sa namespace: rook-ceph # namespace:operator roleRef: kind: Role name: cephfs-external-provisioner-cfg apiGroup: rbac.authorization.k8s.io --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rbd-csi-nodeplugin-role-cfg namespace: rook-ceph # namespace:operator subjects: - kind: ServiceAccount name: rook-csi-rbd-plugin-sa namespace: rook-ceph # namespace:operator roleRef: kind: Role name: rbd-csi-nodeplugin apiGroup: rbac.authorization.k8s.io --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rbd-csi-provisioner-role-cfg namespace: rook-ceph # namespace:operator subjects: - kind: ServiceAccount name: rook-csi-rbd-provisioner-sa namespace: rook-ceph # namespace:operator roleRef: kind: Role name: rbd-external-provisioner-cfg apiGroup: rbac.authorization.k8s.io --- # Allow the operator to create resources in this cluster's namespace kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rook-ceph-cluster-mgmt namespace: rook-ceph # namespace:cluster roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: rook-ceph-cluster-mgmt subjects: - kind: ServiceAccount name: rook-ceph-system namespace: rook-ceph # namespace:operator --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rook-ceph-cmd-reporter namespace: rook-ceph # namespace:cluster roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: rook-ceph-cmd-reporter subjects: - kind: ServiceAccount name: rook-ceph-cmd-reporter namespace: rook-ceph # namespace:cluster --- # Allow the ceph mgr to access resources scoped to the CephCluster namespace necessary for mgr modules kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rook-ceph-mgr namespace: rook-ceph # namespace:cluster roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: rook-ceph-mgr subjects: - kind: ServiceAccount name: rook-ceph-mgr namespace: rook-ceph # namespace:cluster --- # Allow the ceph mgr to access resources in the Rook operator namespace necessary for mgr modules kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rook-ceph-mgr-system namespace: rook-ceph # namespace:operator roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: rook-ceph-mgr-system subjects: - kind: ServiceAccount name: rook-ceph-mgr namespace: rook-ceph # namespace:cluster --- # Allow the osd pods in this namespace to work with configmaps kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rook-ceph-osd namespace: rook-ceph # namespace:cluster roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: rook-ceph-osd subjects: - kind: ServiceAccount name: rook-ceph-osd namespace: rook-ceph # namespace:cluster --- # Allow the osd purge job to run in this namespace kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rook-ceph-purge-osd namespace: rook-ceph # namespace:cluster roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: rook-ceph-purge-osd subjects: - kind: ServiceAccount name: rook-ceph-purge-osd namespace: rook-ceph # namespace:cluster --- # Grant the operator, agent, and discovery agents access to resources in the rook-ceph-system namespace kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rook-ceph-system namespace: rook-ceph # namespace:operator labels: operator: rook storage-backend: ceph app.kubernetes.io/part-of: rook-ceph-operator roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: rook-ceph-system subjects: - kind: ServiceAccount name: rook-ceph-system namespace: rook-ceph # namespace:operator --- # Service account for Ceph COSI driver apiVersion: v1 kind: ServiceAccount metadata: name: objectstorage-provisioner namespace: rook-ceph # namespace:operator labels: app.kubernetes.io/part-of: container-object-storage-interface app.kubernetes.io/component: driver-ceph app.kubernetes.io/name: cosi-driver-ceph # imagePullSecrets: # - name: my-registry-secret --- # Service account for the job that reports the Ceph version in an image apiVersion: v1 kind: ServiceAccount metadata: name: rook-ceph-cmd-reporter namespace: rook-ceph # namespace:cluster labels: operator: rook storage-backend: ceph app.kubernetes.io/part-of: rook-ceph-operator # imagePullSecrets: # - name: my-registry-secret --- # Service account for other components apiVersion: v1 kind: ServiceAccount metadata: name: rook-ceph-default namespace: rook-ceph # namespace:cluster labels: operator: rook storage-backend: ceph # imagePullSecrets: # - name: my-registry-secret --- # Service account for Ceph mgrs apiVersion: v1 kind: ServiceAccount metadata: name: rook-ceph-mgr namespace: rook-ceph # namespace:cluster labels: operator: rook storage-backend: ceph app.kubernetes.io/part-of: rook-ceph-operator # imagePullSecrets: # - name: my-registry-secret --- # Service account for Ceph OSDs apiVersion: v1 kind: ServiceAccount metadata: name: rook-ceph-osd namespace: rook-ceph # namespace:cluster labels: operator: rook storage-backend: ceph app.kubernetes.io/part-of: rook-ceph-operator # imagePullSecrets: # - name: my-registry-secret --- # Service account for job that purges OSDs from a Rook-Ceph cluster apiVersion: v1 kind: ServiceAccount metadata: name: rook-ceph-purge-osd namespace: rook-ceph # namespace:cluster # imagePullSecrets: # - name: my-registry-secret --- # Service account for RGW server apiVersion: v1 kind: ServiceAccount metadata: name: rook-ceph-rgw namespace: rook-ceph # namespace:cluster labels: operator: rook storage-backend: ceph app.kubernetes.io/part-of: rook-ceph-operator # imagePullSecrets: # - name: my-registry-secret --- # Service account for the Rook-Ceph operator apiVersion: v1 kind: ServiceAccount metadata: name: rook-ceph-system namespace: rook-ceph # namespace:operator labels: operator: rook storage-backend: ceph app.kubernetes.io/part-of: rook-ceph-operator # imagePullSecrets: # - name: my-registry-secret --- # Service account for the CephFS CSI driver apiVersion: v1 kind: ServiceAccount metadata: name: rook-csi-cephfs-plugin-sa namespace: rook-ceph # namespace:operator # imagePullSecrets: # - name: my-registry-secret --- # Service account for the CephFS CSI provisioner apiVersion: v1 kind: ServiceAccount metadata: name: rook-csi-cephfs-provisioner-sa namespace: rook-ceph # namespace:operator # imagePullSecrets: # - name: my-registry-secret --- # Service account for the RBD CSI driver apiVersion: v1 kind: ServiceAccount metadata: name: rook-csi-rbd-plugin-sa namespace: rook-ceph # namespace:operator # imagePullSecrets: # - name: my-registry-secret --- # Service account for the RBD CSI provisioner apiVersion: v1 kind: ServiceAccount metadata: name: rook-csi-rbd-provisioner-sa namespace: rook-ceph # namespace:operator # imagePullSecrets: # - name: my-registry-secret