inyee786/openebs-service-account.yaml

## openebs-service-account.yaml
apiVersion: v1
kind: Namespace
metadata:
  name: openebs
---
# Create Maya Service Account
apiVersion: v1
kind: ServiceAccount
metadata:
  name: openebs-maya-operator
  namespace: openebs
---
# Define Role that allows operations on K8s pods/deployments
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: openebs-maya-operator
rules:
- apiGroups: ["*"]
  resources: ["nodes", "nodes/proxy"]
  verbs: ["*"]
- apiGroups: ["*"]
  resources: ["namespaces", "services", "pods", "deployments", "events", "endpoints", "configmaps", "jobs"]
  verbs: ["*"]
- apiGroups: ["*"]
  resources: ["storageclasses", "persistentvolumeclaims", "persistentvolumes"]
  verbs: ["*"]
- apiGroups: ["volumesnapshot.external-storage.k8s.io"]
  resources: ["volumesnapshots", "volumesnapshotdatas"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["apiextensions.k8s.io"]
  resources: ["customresourcedefinitions"]
  verbs: [ "get", "list", "create", "update", "delete"]
- apiGroups: ["*"]
  resources: [ "disks"]
  verbs: ["*" ]
- apiGroups: ["*"]
  resources: [ "storagepoolclaims", "storagepools"]
  verbs: ["*" ]
- apiGroups: ["*"]
  resources: [ "castemplates", "runtasks"]
  verbs: ["*" ]
- apiGroups: ["*"]
  resources: [ "cstorpools", "cstorvolumereplicas", "cstorvolumes"]
  verbs: ["*" ]
- nonResourceURLs: ["/metrics"]
  verbs: ["get"]
- apiGroups:
  - extensions
  resourceNames:
  - suse.caasp.psp.privileged
  resources:
  - podsecuritypolicies
  verbs:
  - use
---
# Bind the Service Account with the Role Privileges.
# TODO: Check if default account also needs to be there
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: openebs-maya-operator
subjects:
- kind: ServiceAccount
  name: openebs-maya-operator
  namespace: openebs
- kind: User
  name: system:serviceaccount:default:default
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: openebs-maya-operator
  apiGroup: rbac.authorization.k8s.io
---
	apiVersion: v1
	kind: Namespace
	metadata:
	name: openebs
	---
	# Create Maya Service Account
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: openebs-maya-operator
	namespace: openebs
	---
	# Define Role that allows operations on K8s pods/deployments
	kind: ClusterRole
	apiVersion: rbac.authorization.k8s.io/v1beta1
	metadata:
	name: openebs-maya-operator
	rules:
	- apiGroups: ["*"]
	resources: ["nodes", "nodes/proxy"]
	verbs: ["*"]
	- apiGroups: ["*"]
	resources: ["namespaces", "services", "pods", "deployments", "events", "endpoints", "configmaps", "jobs"]
	verbs: ["*"]
	- apiGroups: ["*"]
	resources: ["storageclasses", "persistentvolumeclaims", "persistentvolumes"]
	verbs: ["*"]
	- apiGroups: ["volumesnapshot.external-storage.k8s.io"]
	resources: ["volumesnapshots", "volumesnapshotdatas"]
	verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
	- apiGroups: ["apiextensions.k8s.io"]
	resources: ["customresourcedefinitions"]
	verbs: [ "get", "list", "create", "update", "delete"]
	- apiGroups: ["*"]
	resources: [ "disks"]
	verbs: ["*" ]
	- apiGroups: ["*"]
	resources: [ "storagepoolclaims", "storagepools"]
	verbs: ["*" ]
	- apiGroups: ["*"]
	resources: [ "castemplates", "runtasks"]
	verbs: ["*" ]
	- apiGroups: ["*"]
	resources: [ "cstorpools", "cstorvolumereplicas", "cstorvolumes"]
	verbs: ["*" ]
	- nonResourceURLs: ["/metrics"]
	verbs: ["get"]
	- apiGroups:
	- extensions
	resourceNames:
	- suse.caasp.psp.privileged
	resources:
	- podsecuritypolicies
	verbs:
	- use
	---
	# Bind the Service Account with the Role Privileges.
	# TODO: Check if default account also needs to be there
	kind: ClusterRoleBinding
	apiVersion: rbac.authorization.k8s.io/v1beta1
	metadata:
	name: openebs-maya-operator
	subjects:
	- kind: ServiceAccount
	name: openebs-maya-operator
	namespace: openebs
	- kind: User
	name: system:serviceaccount:default:default
	apiGroup: rbac.authorization.k8s.io
	roleRef:
	kind: ClusterRole
	name: openebs-maya-operator
	apiGroup: rbac.authorization.k8s.io
	---