From 1ddc390d1e2fa0b8a679a0c4a39a119c466fec35 Mon Sep 17 00:00:00 2001 From: Joseph Sawaya Date: Tue, 20 Jul 2021 16:15:31 -0400 Subject: [PATCH] ceph: update rook-ceph-mgr-cluster role rules to include PV and SC Since we changed the Rook orchestrator module for Ceph, it now has to access Storage Classes and Persistent Volumes in the cluster to gather inventory and create OSDs so we have to make changes to the rook-ceph-mgr-cluster role so the orchestrator has permission to access these resources. Signed-off-by: Joseph Sawaya --- cluster/charts/rook-ceph/templates/clusterrole.yaml | 9 +++++++++ cluster/examples/kubernetes/ceph/common.yaml | 9 +++++++++ 2 files changed, 18 insertions(+) diff --git a/cluster/charts/rook-ceph/templates/clusterrole.yaml b/cluster/charts/rook-ceph/templates/clusterrole.yaml index b528404890b2..8afd7dd23d5c 100644 --- a/cluster/charts/rook-ceph/templates/clusterrole.yaml +++ b/cluster/charts/rook-ceph/templates/clusterrole.yaml @@ -164,6 +164,7 @@ rules: - configmaps - nodes - nodes/proxy + - persistentvolumes verbs: - get - list @@ -178,6 +179,14 @@ rules: - list - get - watch +- apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch --- # Aspects of ceph-mgr that require access to the system namespace kind: ClusterRole diff --git a/cluster/examples/kubernetes/ceph/common.yaml b/cluster/examples/kubernetes/ceph/common.yaml index 1594b023fc37..7ab27bf5d58f 100644 --- a/cluster/examples/kubernetes/ceph/common.yaml +++ b/cluster/examples/kubernetes/ceph/common.yaml @@ -290,6 +290,7 @@ rules: - configmaps - nodes - nodes/proxy + - persistentvolumes verbs: - get - list @@ -304,6 +305,14 @@ rules: - list - get - watch + - apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1