243 lines
4.1 KiB
YAML
243 lines
4.1 KiB
YAML
{{ if .Values.rbac.create }}
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: {{ include "postgres-operator.serviceAccountName" . }}
|
|
labels:
|
|
app.kubernetes.io/name: {{ template "postgres-operator.name" . }}
|
|
helm.sh/chart: {{ template "postgres-operator.chart" . }}
|
|
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
rules:
|
|
# all verbs allowed for custom operator resources
|
|
- apiGroups:
|
|
- acid.zalan.do
|
|
resources:
|
|
- postgresqls
|
|
- postgresqls/status
|
|
- operatorconfigurations
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- deletecollection
|
|
- get
|
|
- list
|
|
- patch
|
|
- update
|
|
- watch
|
|
# operator only reads PostgresTeams
|
|
- apiGroups:
|
|
- acid.zalan.do
|
|
resources:
|
|
- postgresteams
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
# to create or get/update CRDs when starting up
|
|
- apiGroups:
|
|
- apiextensions.k8s.io
|
|
resources:
|
|
- customresourcedefinitions
|
|
verbs:
|
|
- create
|
|
- get
|
|
- patch
|
|
- update
|
|
# to send events to the CRs
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- events
|
|
verbs:
|
|
- create
|
|
- get
|
|
- list
|
|
- patch
|
|
- update
|
|
- watch
|
|
# to manage endpoints/configmaps which are also used by Patroni
|
|
{{- if toString .Values.configGeneral.kubernetes_use_configmaps | eq "true" }}
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- configmaps
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- deletecollection
|
|
- get
|
|
- list
|
|
- patch
|
|
- update
|
|
- watch
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- endpoints
|
|
verbs:
|
|
- get
|
|
{{- else }}
|
|
# to read configuration from ConfigMaps
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- configmaps
|
|
verbs:
|
|
- get
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- endpoints
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- deletecollection
|
|
- get
|
|
- list
|
|
- patch
|
|
- update
|
|
- watch
|
|
{{- end }}
|
|
# to CRUD secrets for database access
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- secrets
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- get
|
|
- update
|
|
# to check nodes for node readiness label
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- nodes
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
# to read or delete existing PVCs. Creation via StatefulSet
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- persistentvolumeclaims
|
|
verbs:
|
|
- delete
|
|
- get
|
|
- list
|
|
{{- if toString .Values.configKubernetes.storage_resize_mode | eq "pvc" }}
|
|
- patch
|
|
- update
|
|
{{- end }}
|
|
# to read existing PVs. Creation should be done via dynamic provisioning
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- persistentvolumes
|
|
verbs:
|
|
- get
|
|
- list
|
|
{{- if toString .Values.configKubernetes.storage_resize_mode | eq "ebs" }}
|
|
- update # only for resizing AWS volumes
|
|
{{- end }}
|
|
# to watch Spilo pods and do rolling updates. Creation via StatefulSet
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- pods
|
|
verbs:
|
|
- delete
|
|
- get
|
|
- list
|
|
- patch
|
|
- update
|
|
- watch
|
|
# to resize the filesystem in Spilo pods when increasing volume size
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- pods/exec
|
|
verbs:
|
|
- create
|
|
# to CRUD services to point to Postgres cluster instances
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- services
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- get
|
|
- patch
|
|
- update
|
|
# to CRUD the StatefulSet which controls the Postgres cluster instances
|
|
- apiGroups:
|
|
- apps
|
|
resources:
|
|
- statefulsets
|
|
- deployments
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- get
|
|
- list
|
|
- patch
|
|
# to CRUD cron jobs for logical backups
|
|
- apiGroups:
|
|
- batch
|
|
resources:
|
|
- cronjobs
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- get
|
|
- list
|
|
- patch
|
|
- update
|
|
# to get namespaces operator resources can run in
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- namespaces
|
|
verbs:
|
|
- get
|
|
# to define PDBs. Update happens via delete/create
|
|
- apiGroups:
|
|
- policy
|
|
resources:
|
|
- poddisruptionbudgets
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- get
|
|
# to create ServiceAccounts in each namespace the operator watches
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- serviceaccounts
|
|
verbs:
|
|
- get
|
|
- create
|
|
# to create role bindings to the postgres-pod service account
|
|
- apiGroups:
|
|
- rbac.authorization.k8s.io
|
|
resources:
|
|
- rolebindings
|
|
verbs:
|
|
- get
|
|
- create
|
|
{{- if toString .Values.configKubernetes.spilo_privileged | eq "true" }}
|
|
# to run privileged pods
|
|
- apiGroups:
|
|
- extensions
|
|
resources:
|
|
- podsecuritypolicies
|
|
resourceNames:
|
|
- privileged
|
|
verbs:
|
|
- use
|
|
{{- end }}
|
|
{{ end }}
|