{{ if .Values.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ include "postgres-operator.serviceAccountName" . }} labels: app.kubernetes.io/name: {{ template "postgres-operator.name" . }} helm.sh/chart: {{ template "postgres-operator.chart" . }} app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/instance: {{ .Release.Name }} rules: # all verbs allowed for custom operator resources - apiGroups: - acid.zalan.do resources: - postgresqls - postgresqls/status - operatorconfigurations verbs: - create - delete - deletecollection - get - list - patch - update - watch # operator only reads PostgresTeams - apiGroups: - acid.zalan.do resources: - postgresteams verbs: - get - list - watch # all verbs allowed for event streams {{- if .Values.enableStreams }} - apiGroups: - zalando.org resources: - fabriceventstreams verbs: - create - delete - deletecollection - get - list - patch - update - watch {{- end }} # to create or get/update CRDs when starting up - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - get {{- if toString .Values.configGeneral.enable_crd_registration | eq "true" }} - create - patch - update {{- end }} # to send events to the CRs - apiGroups: - "" resources: - events verbs: - create - get - list - patch - update - watch # to manage endpoints/configmaps which are also used by Patroni {{- if toString .Values.configGeneral.kubernetes_use_configmaps | eq "true" }} - apiGroups: - "" resources: - configmaps verbs: - create - delete - deletecollection - get - list - patch - update - watch {{- else }} # to read configuration from ConfigMaps - apiGroups: - "" resources: - configmaps verbs: - get - apiGroups: - "" resources: - endpoints verbs: - create - delete - deletecollection - get - list - patch - update - watch {{- end }} # to CRUD secrets for database access - apiGroups: - "" resources: - secrets verbs: - create - delete - get - update # to check nodes for node readiness label - apiGroups: - "" resources: - nodes verbs: - get - list - watch # to read or delete existing PVCs. Creation via StatefulSet - apiGroups: - "" resources: - persistentvolumeclaims verbs: - delete - get - list {{- if toString .Values.configKubernetes.storage_resize_mode | eq "pvc" }} - patch - update {{- end }} # to read existing PVs. Creation should be done via dynamic provisioning - apiGroups: - "" resources: - persistentvolumes verbs: - get - list {{- if toString .Values.configKubernetes.storage_resize_mode | eq "ebs" }} - update # only for resizing AWS volumes {{- end }} # to watch Spilo pods and do rolling updates. Creation via StatefulSet - apiGroups: - "" resources: - pods verbs: - delete - get - list - patch - update - watch # to resize the filesystem in Spilo pods when increasing volume size - apiGroups: - "" resources: - pods/exec verbs: - create # to CRUD services to point to Postgres cluster instances - apiGroups: - "" resources: - services verbs: - create - delete - get - patch - update # to CRUD the StatefulSet which controls the Postgres cluster instances - apiGroups: - apps resources: - statefulsets - deployments verbs: - create - delete - get - list - patch # to CRUD cron jobs for logical backups - apiGroups: - batch resources: - cronjobs verbs: - create - delete - get - list - patch - update # to get namespaces operator resources can run in - apiGroups: - "" resources: - namespaces verbs: - get # to define PDBs. Update happens via delete/create - apiGroups: - policy resources: - poddisruptionbudgets verbs: - create - delete - get # to create ServiceAccounts in each namespace the operator watches - apiGroups: - "" resources: - serviceaccounts verbs: - get - create # to create role bindings to the postgres-pod service account - apiGroups: - rbac.authorization.k8s.io resources: - rolebindings verbs: - get - create {{- if toString .Values.configKubernetes.spilo_privileged | eq "true" }} # to run privileged pods - apiGroups: - extensions resources: - podsecuritypolicies resourceNames: - privileged verbs: - use {{- end }} {{ end }}