From c7eb885d3ef4891cc91353cdc6701ad4dcd64c9e Mon Sep 17 00:00:00 2001
From: Clayton O'Neill <clayton@oneill.net>
Date: Sun, 25 Jun 2017 19:08:00 -0400
Subject: [PATCH] Add RBAC examples for nfs-client

Adds example configuration files for clusters that have RBAC enabled
(1.6) or OpenShift users.

This is mostly a cut and paste job from the EFS example.

(cherry picked from commit a82645d4ecdf75066f43c677aa2bd55d0e280fd7)
---
 README.md                              | 29 ++++++++++++++++++++++++++
 deploy/auth/clusterrole.yaml           | 17 +++++++++++++++
 deploy/auth/clusterrolebinding.yaml    | 12 +++++++++++
 deploy/auth/openshift-clusterrole.yaml | 17 +++++++++++++++
 deploy/auth/serviceaccount.yaml        |  4 ++++
 5 files changed, 79 insertions(+)
 create mode 100644 deploy/auth/clusterrole.yaml
 create mode 100644 deploy/auth/clusterrolebinding.yaml
 create mode 100644 deploy/auth/openshift-clusterrole.yaml
 create mode 100644 deploy/auth/serviceaccount.yaml

diff --git a/README.md b/README.md
index d5ad6a87..5a901579 100644
--- a/README.md
+++ b/README.md
@@ -12,6 +12,35 @@ quay.io/external_storage/nfs-client-provisioner:v2.0.0
 - modify and deploy `deploy/deployment.yaml`
 - modify and deploy `deploy/class.yaml`
 
+# authorization
+
+If your cluster has RBAC enabled or you are running OpenShift you must
+authorize the provisioner. If you are in a namespace/project other than
+"default" either edit `deploy/auth/clusterrolebinding.yaml` or edit the `oadm
+policy` command accordingly.
+
+## RBAC
+```console
+$ kubectl create -f deploy/auth/serviceaccount.yaml
+serviceaccount "nfs-client-provisioner" created
+$ kubectl create -f deploy/auth/clusterrole.yaml
+clusterrole "nfs-client-provisioner-runner" created
+$ kubectl create -f deploy/auth/clusterrolebinding.yaml
+clusterrolebinding "run-nfs-client-provisioner" created
+$ kubectl patch deployment nfs-client-provisioner -p '{"spec":{"template":{"spec":{"serviceAccount":"nfs-client-provisioner"}}}}'
+```
+
+## OpenShift
+```console
+$ oc create -f deploy/auth/serviceaccount.yaml
+serviceaccount "nfs-client-provisioner" created
+$ oc create -f deploy/auth/openshift-clusterrole.yaml
+clusterrole "nfs-client-provisioner-runner" created
+$ oadm policy add-scc-to-user hostmount-anyuid system:serviceaccount:default:nfs-client-provisioner
+$ oadm policy add-cluster-role-to-user nfs-client-provisioner-runner system:serviceaccount:default:nfs-client-provisioner
+$ oc patch deployment nfs-client-provisioner -p '{"spec":{"template":{"spec":{"serviceAccount":"nfs-client-provisioner"}}}}'
+```
+
 # test
 - `kubectl create -f deploy/test-claim.yaml`
 - `kubectl create -f deploy/test-pod.yaml`
diff --git a/deploy/auth/clusterrole.yaml b/deploy/auth/clusterrole.yaml
new file mode 100644
index 00000000..fe2a7561
--- /dev/null
+++ b/deploy/auth/clusterrole.yaml
@@ -0,0 +1,17 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+metadata:
+  name: nfs-client-provisioner-runner
+rules:
+  - apiGroups: [""]
+    resources: ["persistentvolumes"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["storageclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["list", "watch", "create", "update", "patch"]
diff --git a/deploy/auth/clusterrolebinding.yaml b/deploy/auth/clusterrolebinding.yaml
new file mode 100644
index 00000000..54bd987c
--- /dev/null
+++ b/deploy/auth/clusterrolebinding.yaml
@@ -0,0 +1,12 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+metadata:
+  name: run-nfs-client-provisioner
+subjects:
+  - kind: ServiceAccount
+    name: nfs-client-provisioner
+    namespace: default
+roleRef:
+  kind: ClusterRole
+  name: nfs-client-provisioner-runner
+  apiGroup: rbac.authorization.k8s.io
diff --git a/deploy/auth/openshift-clusterrole.yaml b/deploy/auth/openshift-clusterrole.yaml
new file mode 100644
index 00000000..beabc8f0
--- /dev/null
+++ b/deploy/auth/openshift-clusterrole.yaml
@@ -0,0 +1,17 @@
+kind: ClusterRole
+apiVersion: v1
+metadata:
+  name: nfs-client-provisioner-runner
+rules:
+  - apiGroups: [""]
+    resources: ["persistentvolumes"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["storageclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["list", "watch", "create", "update", "patch"]
diff --git a/deploy/auth/serviceaccount.yaml b/deploy/auth/serviceaccount.yaml
new file mode 100644
index 00000000..edead9ad
--- /dev/null
+++ b/deploy/auth/serviceaccount.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: nfs-client-provisioner