257 lines
		
	
	
		
			4.5 KiB
		
	
	
	
		
			YAML
		
	
	
	
	
	
			
		
		
	
	
			257 lines
		
	
	
		
			4.5 KiB
		
	
	
	
		
			YAML
		
	
	
	
	
	
| {{ if .Values.rbac.create }}
 | |
| apiVersion: rbac.authorization.k8s.io/v1
 | |
| kind: ClusterRole
 | |
| metadata:
 | |
|   name: {{ include "postgres-operator.serviceAccountName" . }}
 | |
|   labels:
 | |
|     app.kubernetes.io/name: {{ template "postgres-operator.name" . }}
 | |
|     helm.sh/chart: {{ template "postgres-operator.chart" . }}
 | |
|     app.kubernetes.io/managed-by: {{ .Release.Service }}
 | |
|     app.kubernetes.io/instance: {{ .Release.Name }}
 | |
| rules:
 | |
| # all verbs allowed for custom operator resources
 | |
| - apiGroups:
 | |
|   - acid.zalan.do
 | |
|   resources:
 | |
|   - postgresqls
 | |
|   - postgresqls/status
 | |
|   - operatorconfigurations
 | |
|   verbs:
 | |
|   - create
 | |
|   - delete
 | |
|   - deletecollection
 | |
|   - get
 | |
|   - list
 | |
|   - patch
 | |
|   - update
 | |
|   - watch
 | |
| # operator only reads PostgresTeams
 | |
| - apiGroups:
 | |
|   - acid.zalan.do
 | |
|   resources:
 | |
|   - postgresteams
 | |
|   verbs:
 | |
|   - get
 | |
|   - list
 | |
|   - watch
 | |
| # all verbs allowed for event streams
 | |
| {{- if .Values.enableStreams }}
 | |
| - apiGroups:
 | |
|   - zalando.org
 | |
|   resources:
 | |
|   - fabriceventstreams
 | |
|   verbs:
 | |
|   - create
 | |
|   - delete
 | |
|   - deletecollection
 | |
|   - get
 | |
|   - list
 | |
|   - patch
 | |
|   - update
 | |
|   - watch
 | |
| {{- end }}
 | |
| # to create or get/update CRDs when starting up
 | |
| - apiGroups:
 | |
|   - apiextensions.k8s.io
 | |
|   resources:
 | |
|   - customresourcedefinitions
 | |
|   verbs:
 | |
|   - get
 | |
| {{- if toString .Values.configGeneral.enable_crd_registration | eq "true" }}
 | |
|   - create
 | |
|   - patch
 | |
|   - update
 | |
| {{- end }}
 | |
| # to send events to the CRs
 | |
| - apiGroups:
 | |
|   - ""
 | |
|   resources:
 | |
|   - events
 | |
|   verbs:
 | |
|   - create
 | |
|   - get
 | |
|   - list
 | |
|   - patch
 | |
|   - update
 | |
|   - watch
 | |
| # to manage endpoints/configmaps which are also used by Patroni
 | |
| {{- if toString .Values.configGeneral.kubernetes_use_configmaps | eq "true" }}
 | |
| - apiGroups:
 | |
|   - ""
 | |
|   resources:
 | |
|   - configmaps
 | |
|   verbs:
 | |
|   - create
 | |
|   - delete
 | |
|   - deletecollection
 | |
|   - get
 | |
|   - list
 | |
|   - patch
 | |
|   - update
 | |
|   - watch
 | |
| {{- else }}
 | |
| # to read configuration from ConfigMaps
 | |
| - apiGroups:
 | |
|   - ""
 | |
|   resources:
 | |
|   - configmaps
 | |
|   verbs:
 | |
|   - get
 | |
| - apiGroups:
 | |
|   - ""
 | |
|   resources:
 | |
|   - endpoints
 | |
|   verbs:
 | |
|   - create
 | |
|   - delete
 | |
|   - deletecollection
 | |
|   - get
 | |
|   - list
 | |
|   - patch
 | |
|   - update
 | |
|   - watch
 | |
| {{- end }}
 | |
| # to CRUD secrets for database access
 | |
| - apiGroups:
 | |
|   - ""
 | |
|   resources:
 | |
|   - secrets
 | |
|   verbs:
 | |
|   - create
 | |
|   - delete
 | |
|   - get
 | |
|   - patch
 | |
|   - update
 | |
| # to check nodes for node readiness label
 | |
| - apiGroups:
 | |
|   - ""
 | |
|   resources:
 | |
|   - nodes
 | |
|   verbs:
 | |
|   - get
 | |
|   - list
 | |
|   - watch
 | |
| # to read or delete existing PVCs. Creation via StatefulSet
 | |
| - apiGroups:
 | |
|   - ""
 | |
|   resources:
 | |
|   - persistentvolumeclaims
 | |
|   verbs:
 | |
|   - delete
 | |
|   - get
 | |
|   - list
 | |
|   - patch
 | |
| {{- if or (toString .Values.configKubernetes.storage_resize_mode | eq "pvc") (toString .Values.configKubernetes.storage_resize_mode | eq "mixed") }}
 | |
|   - update
 | |
| {{- end }}
 | |
|  # to read existing PVs. Creation should be done via dynamic provisioning
 | |
| - apiGroups:
 | |
|   - ""
 | |
|   resources:
 | |
|   - persistentvolumes
 | |
|   verbs:
 | |
|   - get
 | |
|   - list
 | |
| {{- if toString .Values.configKubernetes.storage_resize_mode | eq "ebs" }}
 | |
|   - update  # only for resizing AWS volumes
 | |
| {{- end }}
 | |
| # to watch Spilo pods and do rolling updates. Creation via StatefulSet
 | |
| - apiGroups:
 | |
|   - ""
 | |
|   resources:
 | |
|   - pods
 | |
|   verbs:
 | |
|   - delete
 | |
|   - get
 | |
|   - list
 | |
|   - patch
 | |
|   - update
 | |
|   - watch
 | |
| # to resize the filesystem in Spilo pods when increasing volume size
 | |
| - apiGroups:
 | |
|   - ""
 | |
|   resources:
 | |
|   - pods/exec
 | |
|   verbs:
 | |
|   - create
 | |
| # to CRUD services to point to Postgres cluster instances
 | |
| - apiGroups:
 | |
|   - ""
 | |
|   resources:
 | |
|   - services
 | |
|   verbs:
 | |
|   - create
 | |
|   - delete
 | |
|   - get
 | |
|   - patch
 | |
|   - update
 | |
| # to CRUD the StatefulSet which controls the Postgres cluster instances
 | |
| - apiGroups:
 | |
|   - apps
 | |
|   resources:
 | |
|   - statefulsets
 | |
|   - deployments
 | |
|   verbs:
 | |
|   - create
 | |
|   - delete
 | |
|   - get
 | |
|   - list
 | |
|   - patch
 | |
|   - update
 | |
| # to CRUD cron jobs for logical backups
 | |
| - apiGroups:
 | |
|   - batch
 | |
|   resources:
 | |
|   - cronjobs
 | |
|   verbs:
 | |
|   - create
 | |
|   - delete
 | |
|   - get
 | |
|   - list
 | |
|   - patch
 | |
|   - update
 | |
| # to get namespaces operator resources can run in
 | |
| - apiGroups:
 | |
|   - ""
 | |
|   resources:
 | |
|   - namespaces
 | |
|   verbs:
 | |
|   - get
 | |
| # to define PDBs. Update happens via delete/create
 | |
| - apiGroups:
 | |
|   - policy
 | |
|   resources:
 | |
|   - poddisruptionbudgets
 | |
|   verbs:
 | |
|   - create
 | |
|   - delete
 | |
|   - get
 | |
| # to create ServiceAccounts in each namespace the operator watches
 | |
| - apiGroups:
 | |
|   - ""
 | |
|   resources:
 | |
|   - serviceaccounts
 | |
|   verbs:
 | |
|   - get
 | |
|   - create
 | |
| # to create role bindings to the postgres-pod service account
 | |
| - apiGroups:
 | |
|   - rbac.authorization.k8s.io
 | |
|   resources:
 | |
|   - rolebindings
 | |
|   verbs:
 | |
|   - get
 | |
|   - create
 | |
| {{- if toString .Values.configKubernetes.spilo_privileged | eq "true" }}
 | |
| # to run privileged pods
 | |
| - apiGroups:
 | |
|   - extensions
 | |
|   resources:
 | |
|   - podsecuritypolicies
 | |
|   resourceNames:
 | |
|   - privileged
 | |
|   verbs:
 | |
|   - use
 | |
| {{- end }}
 | |
| {{ end }}
 |