Merge pull request #999 from mowangdk/cleanup/organize_rbac_privilege

feat: organize csi rbac privilege

deploy/ecs/rbac.yaml

@@ -1,14 +1,134 @@
+# csi-provisioner
+---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: csi-admin
+  name: alicloud-csi-provisioner
   namespace: kube-system
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: alicloud-csi-provisioner
+rules:
+  - apiGroups: [""]
+    resources: ["persistentvolumes"]
+    verbs: ["get", "list", "watch", "update", "create", "delete", "patch"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims/status"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["storageclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["list", "watch", "create", "update", "patch"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshots"]
+    verbs: ["get", "list", "watch", "update", "patch", "delete", "create"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshots/status"]
+    verbs: ["update", "patch"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshotcontents"]
+    verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshotcontents/status"]
+    verbs: ["patch"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["csinodes"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list", "watch", "patch"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["volumeattachments"]
+    verbs: ["get", "list", "watch", "patch"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["volumeattachments/status"]
+    verbs: ["patch"]
+# disable in use error , should be deleted
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims/status"]
+    verbs: ["patch"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshotclasses"]
+    verbs: ["get", "list", "watch", "create"]
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["create", "list", "update", "patch"]
+  - apiGroups: ["storage.alibabacloud.com"]
+    resources: ["rules"]
+    verbs: ["get"]
+  - apiGroups: ["storage.alibabacloud.com"]
+    resources: ["containernetworkfilesystems"]
+    verbs: ["get","list", "watch"]
+  - apiGroups: [""]
+    resources: ["nodes/stats"]
+    verbs: ["get"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-provisioner-role
+subjects:
+  - kind: ServiceAccount
+    name: alicloud-csi-provisioner
+    namespace: kube-system
+roleRef:
+  kind: ClusterRole
+  name: alicloud-csi-provisioner
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  namespace: kube-system
+  name: alicloud-csi-provisioner
+rules:
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  verbs: ["get", "watch", "list", "delete", "update", "create"]
+- apiGroups: [""]
+  resources: ["configmaps"]
+  resourceNames: ["csi-plugin", "ack-cluster-profile"]
+  verbs: ["get"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-provisioner-role-cfg
+  namespace: kube-system
+subjects:
+  - kind: ServiceAccount
+    name: alicloud-csi-provisioner
+    namespace: kube-system
+roleRef:
+  kind: Role
+  name: alicloud-csi-provisioner
+  apiGroup: rbac.authorization.k8s.io
+
+
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: csi-fuse-ossfs
   namespace: kube-system
+
+# csi-plugin
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: alicloud-csi-plugin
+  namespace: kube-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -19,21 +139,10 @@ rules:
 - apiGroups: [""]
   resources: ["secrets"]
   resourceNames: ["csi-ossfs-credentials"]
-  verbs: ["get", "create", "patch"]
+  verbs: ["get", "patch"]
 - apiGroups: [""]
   resources: ["pods"]
   verbs: ["get", "list", "watch", "create", "delete" ]
-- apiGroups: [""]
-  resources: ["secrets"]
-  resourceNames: ["csi-local-plugin-cert"]
-  verbs: ["get"]
-- apiGroups: [""]
-  resources: ["secrets"]
-  verbs: ["create"]
-- apiGroups: [""]
-  resources: ["serviceaccounts"]
-  resourceNames: ["csi-fuse-ossfs"]
-  verbs: ["get"]
 - apiGroups: [""]
   resources: ["endpoints"]
   resourceNames: ["cnfs-cache-ds-service"]
@@ -46,6 +155,10 @@ rules:
   resources: ["services"]
   resourceNames: ["storage-monitor-service"]
   verbs: ["get"]
+- apiGroups: [""]
+  resources: ["serviceaccounts"]
+  resourceNames: ["csi-fuse-ossfs"]
+  verbs: ["get"]
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
@@ -130,7 +243,7 @@ roleRef:
   name: alicloud-csi-plugin
 subjects:
 - kind: ServiceAccount
-  name: csi-admin
+  name: alicloud-csi-plugin
   namespace: kube-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -143,6 +256,5 @@ roleRef:
   name: alicloud-csi-plugin
 subjects:
 - kind: ServiceAccount
-  name: csi-admin
+  name: alicloud-csi-plugin
   namespace: kube-system
----