From 105494c6cdb0581eb1749054c53c76c0f5e2c048 Mon Sep 17 00:00:00 2001 From: xixi Date: Wed, 22 Nov 2023 17:16:55 +0800 Subject: [PATCH 1/2] add more RBAC permissions for dashboard leader election Signed-off-by: xixi --- deploy/k8s.yaml | 26 ++++++++++++- deploy/k8s_before_v1_18.yaml | 26 ++++++++++++- deploy/kubernetes/base/resources.yaml | 26 ++++++++++++- deploy/webhook-with-certmanager.yaml | 26 ++++++++++++- deploy/webhook.yaml | 26 ++++++++++++- scripts/juicefs-csi-webhook-install.sh | 52 +++++++++++++++++++++++++- 6 files changed, 175 insertions(+), 7 deletions(-) diff --git a/deploy/k8s.yaml b/deploy/k8s.yaml index 7ee7c17e4d..cdffc16663 100644 --- a/deploy/k8s.yaml +++ b/deploy/k8s.yaml @@ -63,9 +63,11 @@ rules: resources: - events verbs: - - get - list - watch + - create + - update + - patch - apiGroups: - "" resources: @@ -94,6 +96,28 @@ rules: - get - list - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - watch + - list + - delete + - update + - create +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - watch + - list + - delete + - update + - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/deploy/k8s_before_v1_18.yaml b/deploy/k8s_before_v1_18.yaml index afab62f1fe..36279d1841 100644 --- a/deploy/k8s_before_v1_18.yaml +++ b/deploy/k8s_before_v1_18.yaml @@ -63,9 +63,11 @@ rules: resources: - events verbs: - - get - list - watch + - create + - update + - patch - apiGroups: - "" resources: @@ -94,6 +96,28 @@ rules: - get - list - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - watch + - list + - delete + - update + - create +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - watch + - list + - delete + - update + - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/deploy/kubernetes/base/resources.yaml b/deploy/kubernetes/base/resources.yaml index b309b312bc..7b4de35c34 100644 --- a/deploy/kubernetes/base/resources.yaml +++ b/deploy/kubernetes/base/resources.yaml @@ -236,9 +236,11 @@ rules: resources: - events verbs: - - get - list - watch + - create + - update + - patch - apiGroups: - "" resources: @@ -267,6 +269,28 @@ rules: - get - list - watch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - watch + - list + - delete + - update + - create + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - watch + - list + - delete + - update + - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/deploy/webhook-with-certmanager.yaml b/deploy/webhook-with-certmanager.yaml index c4c3af1b4c..257bb95bcc 100644 --- a/deploy/webhook-with-certmanager.yaml +++ b/deploy/webhook-with-certmanager.yaml @@ -53,9 +53,11 @@ rules: resources: - events verbs: - - get - list - watch + - create + - update + - patch - apiGroups: - "" resources: @@ -84,6 +86,28 @@ rules: - get - list - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - watch + - list + - delete + - update + - create +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - watch + - list + - delete + - update + - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/deploy/webhook.yaml b/deploy/webhook.yaml index da6768466a..3454f3c5a8 100644 --- a/deploy/webhook.yaml +++ b/deploy/webhook.yaml @@ -53,9 +53,11 @@ rules: resources: - events verbs: - - get - list - watch + - create + - update + - patch - apiGroups: - "" resources: @@ -84,6 +86,28 @@ rules: - get - list - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - watch + - list + - delete + - update + - create +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - watch + - list + - delete + - update + - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/scripts/juicefs-csi-webhook-install.sh b/scripts/juicefs-csi-webhook-install.sh index 83c771b493..ed29790b31 100755 --- a/scripts/juicefs-csi-webhook-install.sh +++ b/scripts/juicefs-csi-webhook-install.sh @@ -124,9 +124,11 @@ rules: resources: - events verbs: - - get - list - watch + - create + - update + - patch - apiGroups: - "" resources: @@ -155,6 +157,28 @@ rules: - get - list - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - watch + - list + - delete + - update + - create +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - watch + - list + - delete + - update + - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -756,9 +780,11 @@ rules: resources: - events verbs: - - get - list - watch + - create + - update + - patch - apiGroups: - "" resources: @@ -787,6 +813,28 @@ rules: - get - list - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - watch + - list + - delete + - update + - create +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - watch + - list + - delete + - update + - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole From 7dbe46f98a39ef307008eedb052d436cbcb021df Mon Sep 17 00:00:00 2001 From: xixi Date: Wed, 22 Nov 2023 17:19:47 +0800 Subject: [PATCH 2/2] add get Signed-off-by: xixi --- deploy/k8s.yaml | 1 + deploy/k8s_before_v1_18.yaml | 1 + deploy/kubernetes/base/resources.yaml | 1 + deploy/webhook-with-certmanager.yaml | 1 + deploy/webhook.yaml | 1 + scripts/juicefs-csi-webhook-install.sh | 2 ++ 6 files changed, 7 insertions(+) diff --git a/deploy/k8s.yaml b/deploy/k8s.yaml index cdffc16663..021d4a32a4 100644 --- a/deploy/k8s.yaml +++ b/deploy/k8s.yaml @@ -63,6 +63,7 @@ rules: resources: - events verbs: + - get - list - watch - create diff --git a/deploy/k8s_before_v1_18.yaml b/deploy/k8s_before_v1_18.yaml index 36279d1841..86dc5ef4f7 100644 --- a/deploy/k8s_before_v1_18.yaml +++ b/deploy/k8s_before_v1_18.yaml @@ -63,6 +63,7 @@ rules: resources: - events verbs: + - get - list - watch - create diff --git a/deploy/kubernetes/base/resources.yaml b/deploy/kubernetes/base/resources.yaml index 7b4de35c34..af6dfa00c5 100644 --- a/deploy/kubernetes/base/resources.yaml +++ b/deploy/kubernetes/base/resources.yaml @@ -236,6 +236,7 @@ rules: resources: - events verbs: + - get - list - watch - create diff --git a/deploy/webhook-with-certmanager.yaml b/deploy/webhook-with-certmanager.yaml index 257bb95bcc..11f0b92433 100644 --- a/deploy/webhook-with-certmanager.yaml +++ b/deploy/webhook-with-certmanager.yaml @@ -53,6 +53,7 @@ rules: resources: - events verbs: + - get - list - watch - create diff --git a/deploy/webhook.yaml b/deploy/webhook.yaml index 3454f3c5a8..bf99d4f434 100644 --- a/deploy/webhook.yaml +++ b/deploy/webhook.yaml @@ -53,6 +53,7 @@ rules: resources: - events verbs: + - get - list - watch - create diff --git a/scripts/juicefs-csi-webhook-install.sh b/scripts/juicefs-csi-webhook-install.sh index ed29790b31..84a34648ae 100755 --- a/scripts/juicefs-csi-webhook-install.sh +++ b/scripts/juicefs-csi-webhook-install.sh @@ -124,6 +124,7 @@ rules: resources: - events verbs: + - get - list - watch - create @@ -780,6 +781,7 @@ rules: resources: - events verbs: + - get - list - watch - create