Merge pull request #72 from ccremer/chart-fix-perm

Allow RBAC permissions for leader election

charts/kubernetes-zfs-provisioner/Chart.yaml

@@ -14,7 +14,7 @@ description: Dynamic ZFS persistent volume provisioner for Kubernetes
 
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: 2.0.0
+version: 2.0.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.

charts/kubernetes-zfs-provisioner/README.md

@@ -1,6 +1,6 @@
 # kubernetes-zfs-provisioner
 
-![Version: 2.0.0](https://img.shields.io/badge/Version-2.0.0-informational?style=flat-square)
+![Version: 2.0.1](https://img.shields.io/badge/Version-2.0.1-informational?style=flat-square)
 
 Dynamic ZFS persistent volume provisioner for Kubernetes
 

charts/kubernetes-zfs-provisioner/templates/rbac.yaml

@@ -1,30 +1,99 @@
 {{- if .Values.rbac.create -}}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: ClusterRole
 metadata:
-  name: {{ include "kubernetes-zfs-provisioner.fullname" . }}-binding
+  name: '{{ include "kubernetes-zfs-provisioner.fullname" . }}-controller'
   labels:
     {{- include "kubernetes-zfs-provisioner.labels" . | nindent 4 }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:persistent-volume-provisioner
-subjects:
-- kind: ServiceAccount
-  name: {{ include "kubernetes-zfs-provisioner.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+rules:
+# leader election
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - create
+      - get
+      - list
+      - update
+
+# system:controller:endpoint-controller
+  - apiGroups:
+      - ''
+    resources:
+      - pods
+      - services
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ''
+    resources:
+      - endpoints
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - update
+  - apiGroups:
+      - ''
+    resources:
+      - endpoints/restricted
+    verbs:
+      - create
+  - apiGroups:
+      - ''
+      - events.k8s.io
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+      - update
+      - watch
+
+# system:persistent-volume-provisioner (deduplicated)
+  - apiGroups:
+      - ''
+    resources:
+      - persistentvolumes
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ''
+    resources:
+      - persistentvolumeclaims
+    verbs:
+      - get
+      - list
+      - update
+      - watch
+  - apiGroups:
+      - storage.k8s.io
+    resources:
+      - storageclasses
+    verbs:
+      - get
+      - list
+      - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ include "kubernetes-zfs-provisioner.fullname" . }}-leaderelection
+  name: {{ include "kubernetes-zfs-provisioner.fullname" . }}
   labels:
     {{- include "kubernetes-zfs-provisioner.labels" . | nindent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: system:controller:endpoint-controller
+  name: '{{ include "kubernetes-zfs-provisioner.fullname" . }}-controller'
 subjects:
 - kind: ServiceAccount
   name: {{ include "kubernetes-zfs-provisioner.serviceAccountName" . }}