ceph: update rook-ceph-mgr-cluster role rules to include PV and SC

Since we changed the Rook orchestrator module for Ceph, it now has to access Storage Classes and Persistent Volumes in the cluster to gather inventory and create OSDs so we have to make changes to the rook-ceph-mgr-cluster role so the orchestrator has permission to access these resources. Signed-off-by: Joseph Sawaya <jsawaya@redhat.com>
rook · Jul 26, 2021 · 1ddc390 · 1ddc390
1 parent ce5777e
commit 1ddc390
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 0 deletions.
diff --git a/cluster/charts/rook-ceph/templates/clusterrole.yaml b/cluster/charts/rook-ceph/templates/clusterrole.yaml
@@ -164,6 +164,7 @@ rules:
   - configmaps
   - nodes
   - nodes/proxy
+  - persistentvolumes
   verbs:
   - get
   - list
@@ -178,6 +179,14 @@ rules:
   - list
   - get
   - watch
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - storageclasses
+  verbs:
+  - get
+  - list
+  - watch
 ---
 # Aspects of ceph-mgr that require access to the system namespace
 kind: ClusterRole

diff --git a/cluster/examples/kubernetes/ceph/common.yaml b/cluster/examples/kubernetes/ceph/common.yaml
@@ -290,6 +290,7 @@ rules:
       - configmaps
       - nodes
       - nodes/proxy
+      - persistentvolumes
     verbs:
       - get
       - list
@@ -304,6 +305,14 @@ rules:
       - list
       - get
       - watch
+  - apiGroups:
+      - storage.k8s.io
+    resources:
+      - storageclasses
+    verbs:
+      - get
+      - list
+      - watch
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1