From cc274a86f7cd5921aecc968dd9042215f42788a5 Mon Sep 17 00:00:00 2001 From: Bipul Adhikari Date: Wed, 15 Jan 2025 16:45:40 +0545 Subject: [PATCH] Add TokenReview RBAC to support CSI addons security enhancements Signed-off-by: Bipul Adhikari --- config/csi-rbac/cephfs_ctrlplugin_role.yaml | 3 +++ config/csi-rbac/rbd_ctrlplugin_role.yaml | 3 +++ config/csi-rbac/rbd_nodeplugin_role.yaml | 3 +++ deploy/all-in-one/install.yaml | 18 ++++++++++++++++++ deploy/multifile/csi-rbac.yaml | 18 ++++++++++++++++++ 5 files changed, 45 insertions(+) diff --git a/config/csi-rbac/cephfs_ctrlplugin_role.yaml b/config/csi-rbac/cephfs_ctrlplugin_role.yaml index 123d5d96..1d2d7dd4 100644 --- a/config/csi-rbac/cephfs_ctrlplugin_role.yaml +++ b/config/csi-rbac/cephfs_ctrlplugin_role.yaml @@ -18,3 +18,6 @@ rules: - apiGroups: ["apps"] resources: ["deployments/finalizers", "daemonsets/finalizers"] verbs: ["update"] + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] diff --git a/config/csi-rbac/rbd_ctrlplugin_role.yaml b/config/csi-rbac/rbd_ctrlplugin_role.yaml index d04f983d..9f1145bf 100644 --- a/config/csi-rbac/rbd_ctrlplugin_role.yaml +++ b/config/csi-rbac/rbd_ctrlplugin_role.yaml @@ -18,3 +18,6 @@ rules: - apiGroups: ["apps"] resources: ["deployments/finalizers", "daemonsets/finalizers"] verbs: ["update"] + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] diff --git a/config/csi-rbac/rbd_nodeplugin_role.yaml b/config/csi-rbac/rbd_nodeplugin_role.yaml index 1e9353a9..5e6c2d29 100644 --- a/config/csi-rbac/rbd_nodeplugin_role.yaml +++ b/config/csi-rbac/rbd_nodeplugin_role.yaml @@ -15,3 +15,6 @@ rules: - apiGroups: ["apps"] resources: ["deployments/finalizers", "daemonsets/finalizers"] verbs: ["update"] + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] diff --git a/deploy/all-in-one/install.yaml b/deploy/all-in-one/install.yaml index 567a9d04..04d830d2 100644 --- a/deploy/all-in-one/install.yaml +++ b/deploy/all-in-one/install.yaml @@ -14120,6 +14120,12 @@ rules: - daemonsets/finalizers verbs: - update +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -14207,6 +14213,12 @@ rules: - daemonsets/finalizers verbs: - update +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -14242,6 +14254,12 @@ rules: - daemonsets/finalizers verbs: - update +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/deploy/multifile/csi-rbac.yaml b/deploy/multifile/csi-rbac.yaml index 84941e59..2835cdd9 100644 --- a/deploy/multifile/csi-rbac.yaml +++ b/deploy/multifile/csi-rbac.yaml @@ -79,6 +79,12 @@ rules: - daemonsets/finalizers verbs: - update +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -125,6 +131,12 @@ rules: - daemonsets/finalizers verbs: - update +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -160,6 +172,12 @@ rules: - daemonsets/finalizers verbs: - update +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole