longhorn/chart/templates/clusterrole.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: longhorn-role
  labels: {{- include "longhorn.labels" . | nindent 4 }}
rules:
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - "*"
- apiGroups: [""]
  resources: ["pods", "events", "persistentvolumes", "persistentvolumeclaims","persistentvolumeclaims/status", "nodes", "proxy/nodes", "pods/log", "secrets", "services", "endpoints", "configmaps", "serviceaccounts"]
  verbs: ["*"]
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "list"]
- apiGroups: ["apps"]
  resources: ["daemonsets", "statefulsets", "deployments"]
  verbs: ["*"]
- apiGroups: ["batch"]
  resources: ["jobs", "cronjobs"]
  verbs: ["*"]
- apiGroups: ["policy"]
  resources: ["poddisruptionbudgets", "podsecuritypolicies"]
  verbs: ["*"]
- apiGroups: ["scheduling.k8s.io"]
  resources: ["priorityclasses"]
  verbs: ["watch", "list"]
- apiGroups: ["storage.k8s.io"]
  resources: ["storageclasses", "volumeattachments", "volumeattachments/status", "csinodes", "csidrivers"]
  verbs: ["*"]
- apiGroups: ["snapshot.storage.k8s.io"]
  resources: ["volumesnapshotclasses", "volumesnapshots", "volumesnapshotcontents", "volumesnapshotcontents/status"]
  verbs: ["*"]
- apiGroups: ["longhorn.io"]
  resources: ["volumes", "volumes/status", "engines", "engines/status", "replicas", "replicas/status", "settings",
              "engineimages", "engineimages/status", "nodes", "nodes/status", "instancemanagers", "instancemanagers/status",
  {{- if .Values.openshift.enabled }}
              "engineimages/finalizers", "nodes/finalizers", "instancemanagers/finalizers",
  {{- end }}
              "sharemanagers", "sharemanagers/status", "backingimages", "backingimages/status",
              "backingimagemanagers", "backingimagemanagers/status", "backingimagedatasources", "backingimagedatasources/status",
              "backuptargets", "backuptargets/status", "backupvolumes", "backupvolumes/status", "backups", "backups/status",
              "recurringjobs", "recurringjobs/status", "orphans", "orphans/status", "snapshots", "snapshots/status",
              "supportbundles", "supportbundles/status", "systembackups", "systembackups/status", "systemrestores", "systemrestores/status",
              "volumeattachments", "volumeattachments/status"]
  verbs: ["*"]
- apiGroups: ["coordination.k8s.io"]
  resources: ["leases"]
  verbs: ["*"]
- apiGroups: ["metrics.k8s.io"]
  resources: ["pods", "nodes"]
  verbs: ["get", "list"]
- apiGroups: ["apiregistration.k8s.io"]
  resources: ["apiservices"]
  verbs: ["list", "watch"]
- apiGroups: ["admissionregistration.k8s.io"]
  resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
  verbs: ["get", "list", "create", "patch", "delete"]
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["roles", "rolebindings", "clusterrolebindings", "clusterroles"]
  verbs: ["*"]
{{- if .Values.openshift.enabled }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: longhorn-ocp-privileged-role
  labels: {{- include "longhorn.labels" . | nindent 4 }}
rules:
- apiGroups: ["security.openshift.io"]
  resources: ["securitycontextconstraints"]
  resourceNames: ["anyuid", "privileged"]
  verbs: ["use"]
{{- end }}
chart: Update to use appsV1 API Signed-off-by: Sheng Yang <sheng.yang@rancher.com> 2019-09-20 20:45:56 +00:00			`apiVersion: rbac.authorization.k8s.io/v1`
chart: added longhorn v0.4.1 chart 2019-05-08 17:21:58 +00:00			`kind: ClusterRole`
			`metadata:`
			`name: longhorn-role`
chart: Add Helm standard labels to templates Signed-off-by: Michael William Le Nguyen <michael@mail.ttp.codes> 2020-07-08 23:56:34 +00:00			`labels: {{- include "longhorn.labels" . \| nindent 4 }}`
chart: added longhorn v0.4.1 chart 2019-05-08 17:21:58 +00:00			`rules:`
			`- apiGroups:`
			`- apiextensions.k8s.io`
			`resources:`
			`- customresourcedefinitions`
			`verbs:`
			`- "*"`
			`- apiGroups: [""]`
feat(system-backup/restore): update chart Ref: 1455 Signed-off-by: Chin-Ya Huang <chin-ya.huang@suse.com> 2022-11-22 06:06:19 +00:00			`resources: ["pods", "events", "persistentvolumes", "persistentvolumeclaims","persistentvolumeclaims/status", "nodes", "proxy/nodes", "pods/log", "secrets", "services", "endpoints", "configmaps", "serviceaccounts"]`
chart: added longhorn v0.4.1 chart 2019-05-08 17:21:58 +00:00			`verbs: ["*"]`
			`- apiGroups: [""]`
			`resources: ["namespaces"]`
			`verbs: ["get", "list"]`
			`- apiGroups: ["apps"]`
			`resources: ["daemonsets", "statefulsets", "deployments"]`
			`verbs: ["*"]`
			`- apiGroups: ["batch"]`
			`resources: ["jobs", "cronjobs"]`
			`verbs: ["*"]`
Update Helm chart templates for Longhorn v1.1.0 Longhorn #1906 Signed-off-by: Phan Le <phan.le@rancher.com> 2020-10-23 23:39:05 +00:00			`- apiGroups: ["policy"]`
feat(system-backup/restore): update chart Ref: 1455 Signed-off-by: Chin-Ya Huang <chin-ya.huang@suse.com> 2022-11-22 06:06:19 +00:00			`resources: ["poddisruptionbudgets", "podsecuritypolicies"]`
Update Helm chart templates for Longhorn v1.1.0 Longhorn #1906 Signed-off-by: Phan Le <phan.le@rancher.com> 2020-10-23 23:39:05 +00:00			`verbs: ["*"]`
Update deploy for v1.0.1-rc1 Signed-off-by: Michael William Le Nguyen <michael@mail.ttp.codes> 2020-07-14 22:29:20 +00:00			`- apiGroups: ["scheduling.k8s.io"]`
			`resources: ["priorityclasses"]`
			`verbs: ["watch", "list"]`
chart: added longhorn v0.4.1 chart 2019-05-08 17:21:58 +00:00			`- apiGroups: ["storage.k8s.io"]`
Bump CSI external components version Longhorn 2757 Signed-off-by: phanle1010 <phan.le@suse.com> 2021-08-24 21:17:21 +00:00			`resources: ["storageclasses", "volumeattachments", "volumeattachments/status", "csinodes", "csidrivers"]`
chart: added longhorn v0.4.1 chart 2019-05-08 17:21:58 +00:00			`verbs: ["*"]`
Update Helm chart templates for Longhorn v1.1.0 Longhorn #1906 Signed-off-by: Phan Le <phan.le@rancher.com> 2020-10-23 23:39:05 +00:00			`- apiGroups: ["snapshot.storage.k8s.io"]`
			`resources: ["volumesnapshotclasses", "volumesnapshots", "volumesnapshotcontents", "volumesnapshotcontents/status"]`
chart: Remove some redundancy for the chart 1. Remove the redundancy rule in clusterrole.yaml 2. Simplify the chart private registry setting. Longhorn #1818 Signed-off-by: Shuo Wu <shuo@rancher.com> 2020-09-29 09:16:09 +00:00			`verbs: ["*"]`
helm: Update Longhorn cluster role Signed-off-by: Shuo Wu <shuo@rancher.com> 2019-11-08 04:45:44 +00:00			`- apiGroups: ["longhorn.io"]`
			`resources: ["volumes", "volumes/status", "engines", "engines/status", "replicas", "replicas/status", "settings",`
chart: Introduce longhorn share manager Longhorn #2043 Signed-off-by: Shuo Wu <shuo@rancher.com> 2020-12-07 05:32:05 +00:00			`"engineimages", "engineimages/status", "nodes", "nodes/status", "instancemanagers", "instancemanagers/status",`
OCP / OKD Documentation and Helm Support (#5004) * Add OCP support to helm chart. Signed-off-by: Bin Guo <bin.guo@casa-systems.com> Signed-off-by: Arthur <arthur@arthurvardevanyan.com> Co-authored-by: Bin Guo <bin.guo@casa-systems.com> Co-authored-by: David Ko <dko@suse.com> Co-authored-by: binguo-casa <70552879+binguo-casa@users.noreply.github.com> 2023-08-24 11:12:38 +00:00			`{{- if .Values.openshift.enabled }}`
			`"engineimages/finalizers", "nodes/finalizers", "instancemanagers/finalizers",`
			`{{- end }}`
chart: Update chart for the enhanced backing image feature Longhorn #2530 Signed-off-by: Shuo Wu <shuo.wu@suse.com> 2021-08-10 03:46:51 +00:00			`"sharemanagers", "sharemanagers/status", "backingimages", "backingimages/status",`
Release longhorn v1.2.0-preview1 Signed-off-by: David Ko <dko@suse.com> 2021-08-11 17:03:23 +00:00			`"backingimagemanagers", "backingimagemanagers/status", "backingimagedatasources", "backingimagedatasources/status",`
Update chart for label-driven recurring job Longhorn-467 Signed-off-by: Chin-Ya Huang <chin-ya.huang@suse.com> 2021-08-17 03:11:42 +00:00			`"backuptargets", "backuptargets/status", "backupvolumes", "backupvolumes/status", "backups", "backups/status",`
feat(support-bundle): update chart Ref: 2759 Signed-off-by: Chin-Ya Huang <chin-ya.huang@suse.com> 2022-11-21 08:04:00 +00:00			`"recurringjobs", "recurringjobs/status", "orphans", "orphans/status", "snapshots", "snapshots/status",`
Update chart for new AD refactoring longhorn-3715 Signed-off-by: Phan Le <phan.le@suse.com> 2023-03-08 00:39:36 +00:00			`"supportbundles", "supportbundles/status", "systembackups", "systembackups/status", "systemrestores", "systemrestores/status",`
			`"volumeattachments", "volumeattachments/status"]`
helm: Update Longhorn cluster role Signed-off-by: Shuo Wu <shuo@rancher.com> 2019-11-08 04:45:44 +00:00			`verbs: ["*"]`
Update Helm chart templates for Longhorn v1.1.0 Longhorn #1906 Signed-off-by: Phan Le <phan.le@rancher.com> 2020-10-23 23:39:05 +00:00			`- apiGroups: ["coordination.k8s.io"]`
			`resources: ["leases"]`
			`verbs: ["*"]`
			`- apiGroups: ["metrics.k8s.io"]`
			`resources: ["pods", "nodes"]`
chart: Sync chart with the YAML files in longhorn-manager Longhorn #1818, #1813 Signed-off-by: Shuo Wu <shuo@rancher.com> 2020-11-11 12:08:22 +00:00			`verbs: ["get", "list"]`
chart: add conversion and admission webhook services Signed-off-by: Derek Su <derek.su@suse.com> (cherry picked from commit c5159e1774c42d47a9a1ba3500accd11c05420b7) 2022-02-10 16:07:36 +00:00			`- apiGroups: ["apiregistration.k8s.io"]`
			`resources: ["apiservices"]`
			`verbs: ["list", "watch"]`
			`- apiGroups: ["admissionregistration.k8s.io"]`
			`resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]`
Add missing webhook RBAC rule for uninstaller Longhorn-2034 Signed-off-by: Chin-Ya Huang <chin-ya.huang@suse.com> 2022-03-28 11:05:25 +00:00			`verbs: ["get", "list", "create", "patch", "delete"]`
feat(system-backup/restore): update chart Ref: 1455 Signed-off-by: Chin-Ya Huang <chin-ya.huang@suse.com> 2022-11-22 06:06:19 +00:00			`- apiGroups: ["rbac.authorization.k8s.io"]`
			`resources: ["roles", "rolebindings", "clusterrolebindings", "clusterroles"]`
			`verbs: ["*"]`
OCP / OKD Documentation and Helm Support (#5004) * Add OCP support to helm chart. Signed-off-by: Bin Guo <bin.guo@casa-systems.com> Signed-off-by: Arthur <arthur@arthurvardevanyan.com> Co-authored-by: Bin Guo <bin.guo@casa-systems.com> Co-authored-by: David Ko <dko@suse.com> Co-authored-by: binguo-casa <70552879+binguo-casa@users.noreply.github.com> 2023-08-24 11:12:38 +00:00			`{{- if .Values.openshift.enabled }}`
			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: ClusterRole`
			`metadata:`
			`name: longhorn-ocp-privileged-role`
			`labels: {{- include "longhorn.labels" . \| nindent 4 }}`
			`rules:`
			`- apiGroups: ["security.openshift.io"]`
			`resources: ["securitycontextconstraints"]`
			`resourceNames: ["anyuid", "privileged"]`
			`verbs: ["use"]`
			`{{- end }}`