adrien/ansible-role-k8s-storage
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Update secret-store rbac
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse source
This commit is contained in:
Adrien Reslinger 2020-08-11 01:43:07 +02:00
parent b883b17fe7
commit 766e34dbf3
3 changed files with 34 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

10
files/secrets-store/csi-secrets-store-DaemonSet.yaml
View file

@ -12,8 +12,6 @@ spec:
labels:
app: csi-secrets-store
spec:
nodeSelector:
beta.kubernetes.io/os: linux
serviceAccountName: secrets-store-csi-driver
hostNetwork: true
containers:
@ -45,12 +43,13 @@ spec:
- name: registration-dir
mountPath: /registration
- name: secrets-store
image: docker.io/deislabs/secrets-store-csi:v0.0.11
image: us.gcr.io/k8s-artifacts-prod/csi-secrets-store/driver:v0.0.12
args:
- "--debug=true"
- "--endpoint=$(CSI_ENDPOINT)"
- "--nodeid=$(KUBE_NODE_NAME)"
- "--provider-volume=/etc/kubernetes/secrets-store-csi-providers"
- "--metrics-addr=:8080"
env:
- name: CSI_ENDPOINT
value: unix:///csi/csi.sock
@ -83,12 +82,13 @@ spec:
- name: providers-dir
mountPath: /etc/kubernetes/secrets-store-csi-providers
- name: liveness-probe
image: quay.io/k8scsi/livenessprobe:v1.1.0
image: quay.io/k8scsi/livenessprobe:v2.0.0
imagePullPolicy: Always
args:
- --csi-address=/csi/csi.sock
- --probe-timeout=3s
- --health-port=9808
- -v=2
volumeMounts:
- name: plugin-dir
mountPath: /csi
@ -109,3 +109,5 @@ spec:
hostPath:
path: /etc/kubernetes/secrets-store-csi-providers
type: DirectoryOrCreate
nodeSelector:
kubernetes.io/os: linux

25
files/secrets-store/secretproviderclasses-role-ClusterRole.yaml
View file

@ -11,6 +11,7 @@ rules:
- get
- list
- update
- watch
- apiGroups:
- secrets-store.csi.x-k8s.io
resources:
@ -19,6 +20,7 @@ rules:
- get
- patch
- update
- watch
- apiGroups:
- ""
resources:
@ -28,3 +30,26 @@ rules:
- delete
- get
- update
- patch
- list
- watch
- apiGroups:
- secrets-store.csi.x-k8s.io
resources:
- secretproviderclasspodstatuses
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- secrets-store.csi.x-k8s.io
resources:
- secretproviderclasspodstatuses/status
verbs:
- get
- update
- patch

6
files/secrets-store/secretproviderclasses.secrets-store.csi.x-k8s.io-CustomResourceDefinition.yaml
View file

@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.2.4
controller-gen.kubebuilder.io/version: v0.3.0
creationTimestamp: null
name: secretproviderclasses.secrets-store.csi.x-k8s.io
spec:
@ -21,12 +21,12 @@ spec:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object