Kanister Operator RBAC (#4497)

with a new feature we are using PV and PVC and this requires additional permissions.
kanisterio · Dec 8, 2018 · ff5051d · ff5051d
1 parent afe6057
commit ff5051d
Show file tree

Hide file tree

Showing 3 changed files with 57 additions and 1 deletion.
diff --git a/bundle.yaml b/bundle.yaml
@@ -53,6 +53,47 @@ rules:
   - "*"
   verbs:
   - "*"
+- apiGroups:
+  - ""
+  resources:
+  - persistentvolumes
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - persistentvolumeclaims
+  verbs:
+  - get
+  - list
+  - update
+  - watch
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - storageclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+  - update
 ---
 apiVersion: v1
 kind: ServiceAccount

diff --git a/helm/kanister-operator/Chart.yaml b/helm/kanister-operator/Chart.yaml
@@ -9,5 +9,5 @@ maintainers:
   - email: tom@kasten.io
     name: tdmanv
 icon: https://kasten.io/assets/img/kanister-logo.png
-appVersion: 0.10.0
+appVersion: 0.14.0
 source: https://github.com/kanisterio/kanister
diff --git a/helm/kanister-operator/templates/rbac.yaml b/helm/kanister-operator/templates/rbac.yaml
@@ -55,3 +55,18 @@ subjects:
   name: {{ template "kanister-operator.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
 {{- end }}
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  labels:
+{{ include "kanister-operator.helmLabels" . | indent 4 }}
+  name: {{ template "kanister-operator.fullname" . }}-pv-provisioner
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:persistent-volume-provisioner
+subjects:
+- kind: ServiceAccount
+  name: {{ template "kanister-operator.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}