{{- if .Values.common.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ template "provisioner.fullname" . }}-pv-binding labels: helm.sh/chart: {{ template "provisioner.chart" . }} app.kubernetes.io/name: {{ template "provisioner.name" . }} app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/instance: {{ .Release.Name }} subjects: - kind: ServiceAccount name: {{ template "provisioner.serviceAccountName" . }} namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole name: system:persistent-volume-provisioner apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ template "provisioner.fullname" . }}-node-clusterrole labels: helm.sh/chart: {{ template "provisioner.chart" . }} app.kubernetes.io/name: {{ template "provisioner.name" . }} app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/instance: {{ .Release.Name }} rules: - apiGroups: [""] resources: ["nodes"] verbs: ["get"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ template "provisioner.fullname" . }}-node-binding labels: helm.sh/chart: {{ template "provisioner.chart" . }} app.kubernetes.io/name: {{ template "provisioner.name" . }} app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/instance: {{ .Release.Name }} subjects: - kind: ServiceAccount name: {{ template "provisioner.serviceAccountName" . }} namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole name: {{ template "provisioner.fullname" . }}-node-clusterrole apiGroup: rbac.authorization.k8s.io {{- if .Values.common.useJobForCleaning }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ template "provisioner.fullname" . }}-jobs-role namespace: {{ .Release.Namespace }} labels: helm.sh/chart: {{ template "provisioner.chart" . }} app.kubernetes.io/name: {{ template "provisioner.name" . }} app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/instance: {{ .Release.Name }} rules: - apiGroups: - 'batch' resources: - jobs verbs: - '*' --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ template "provisioner.fullname" . }}-jobs-rolebinding namespace: {{ .Release.Namespace }} labels: helm.sh/chart: {{ template "provisioner.chart" . }} app.kubernetes.io/name: {{ template "provisioner.name" . }} app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/instance: {{ .Release.Name }} subjects: - kind: ServiceAccount name: {{ template "provisioner.serviceAccountName" . }} namespace: {{ .Release.Namespace }} roleRef: kind: Role name: {{ template "provisioner.fullname" . }}-jobs-role apiGroup: rbac.authorization.k8s.io {{- end }} {{- if .Values.common.rbac.pspEnabled }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ template "provisioner.fullname" . }}-psp-role namespace: {{ .Release.Namespace }} labels: helm.sh/chart: {{ template "provisioner.chart" . }} app.kubernetes.io/name: {{ template "provisioner.name" . }} app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/instance: {{ .Release.Name }} rules: - apiGroups: - policy resources: - podsecuritypolicies resourceNames: - {{ template "provisioner.fullname" . }} verbs: - use --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ template "provisioner.fullname" . }}-psp-rolebinding namespace: {{ .Release.Namespace }} labels: helm.sh/chart: {{ template "provisioner.chart" . }} app.kubernetes.io/name: {{ template "provisioner.name" . }} app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/instance: {{ .Release.Name }} subjects: - kind: ServiceAccount name: {{ template "provisioner.serviceAccountName" . }} namespace: {{ .Release.Namespace }} roleRef: kind: Role name: {{ template "provisioner.fullname" . }}-psp-role apiGroup: rbac.authorization.k8s.io {{- end }} {{- end }}