---
# 创建服务账号
kind: ServiceAccount
apiVersion: v1
metadata:
# 服务账号名
name: nfs-client-provisioner
# 替换为deployment的命名空间
namespace: kube-system
---
# 创建集群角色
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
# 集群角色名
name: nfs-client-provisioner-runner
# 添加集群角色权限
rules:
- apiGroups: [""]
# 向该角色增加对PV执行查看,创建,删除 权限
resources: ["persistentvolumes"]
verbs: ["get", "list", "watch", "create", "delete"]
- apiGroups: [""]
# 向该角色增加对PVC执行查看,更新 权限
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["storage.k8s.io"]
# 向该角色增加对动态存储类执行查看 权限
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
# 向该角色增加对events(集群事件)进行 创建 更新 补丁 权限
resources: ["events"]
verbs: ["create", "update", "patch"]
---
# 创建集群角色绑定
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
# 角色绑定的名称
name: run-nfs-client-provisioner
subjects:
# 绑定服务账号
- kind: ServiceAccount
# 要绑定的服务账号名--就是第一个yaml创建的sa
name: nfs-client-provisioner
# 绑定到哪个命名空间
namespace: kube-system
roleRef:
kind: ClusterRole
# 要绑定的集群角色名--就是第2个yaml创建的集群角色
name: nfs-client-provisioner-runner
apiGroup: rbac.authorization.k8s.io
---
# 创建role
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
# 创建的角色名
name: leader-locking-nfs-client-provisioner
rules:
- apiGroups: [""]
# 向该角色增加对endpoint 查看 创建 更新 补丁 的权限
resources: ["endpoints"]
verbs: ["get", "list", "watch", "create", "update", "patch"]
---
# 创建role绑定
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
# 该角色绑定的名字
name: leader-locking-nfs-client-provisioner
subjects:
- kind: ServiceAccount
# 要绑定的服务账号名--就是第一个yaml创建的服务账号
name: nfs-client-provisioner
# 替换为deployment要部署到的命名空间
# 绑定到kube-system命名空间
namespace: kube-system
roleRef:
kind: Role
# 要绑定的角色名称,就是上一个yaml创建的role
name: leader-locking-nfs-client-provisioner
apiGroup: rbac.authorization.k8s.io
评论0