public_git
/
postgres-operator
mirror of https://github.com/zalando/postgres-operator.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Remove bind verb and explain privileges 

Closes #256
This commit is contained in:
Felix Kunde 2019-12-16 14:41:35 +01:00 committed by GitHub
parent 97e0d6d388
commit 1d3decb149
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 19 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
manifests/operator-service-account-rbac.yaml
View File

@ -10,6 +10,7 @@ kind: ClusterRole
metadata:
name: zalando-postgres-operator
rules:
# all verbs allowed for custom operator resources
- apiGroups:
- acid.zalan.do
resources:
@ -18,6 +19,7 @@ rules:
- operatorconfigurations
verbs:
- "*"
# to create or get/update CRDs when starting up
- apiGroups:
- apiextensions.k8s.io
resources:
@ -27,12 +29,14 @@ rules:
- get
- patch
- update
# to read configuration from ConfigMaps
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
# to manage endpoints which are also used by Patroni
- apiGroups:
- ""
resources:
@ -45,6 +49,7 @@ rules:
- list
- patch
- watch # needed if zalando-postgres-operator account is used for pods as well
# to CRUD secrets for database access
- apiGroups:
- ""
resources:
@ -54,6 +59,7 @@ rules:
- update
- delete
- get
# to check nodes for node readiness label
- apiGroups:
- ""
resources:
@ -62,6 +68,7 @@ rules:
- get
- list
- watch
# to read or delete existing PVCs. Creation via StatefulSet
- apiGroups:
- ""
resources:
@ -70,6 +77,7 @@ rules:
- delete
- get
- list
# to read existing PVs. Creation should be done via dynamic provisioning
- apiGroups:
- ""
resources:
@ -78,6 +86,7 @@ rules:
- get
- list
- update # only for resizing AWS volumes
# to watch Spilo pods and do rolling updates. Creation via StatefulSet
- apiGroups:
- ""
resources:
@ -88,12 +97,14 @@ rules:
- list
- watch
- patch
# to resize the filesystem in Spilo pods when increasing volume size
- apiGroups:
- ""
resources:
- pods/exec
verbs:
- create
# to CRUD services to point to Postgres cluster instances
- apiGroups:
- ""
resources:
@ -103,6 +114,7 @@ rules:
- delete
- get
- patch
# to CRUD the StatefulSet which controls the Postgres cluster instances
- apiGroups:
- apps
resources:
@ -113,12 +125,14 @@ rules:
- get
- list
- patch
# to get namespaces operator resources can run in
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
# to define PDBs. Update happens via delete/create
- apiGroups:
- policy
resources:
@ -127,6 +141,7 @@ rules:
- create
- delete
- get
# to create ServiceAccounts in each namespace the operator watches
- apiGroups:
- ""
resources:
@ -134,6 +149,7 @@ rules:
verbs:
- get
- create
# to create role bindings to the operator service account
- apiGroups:
- "rbac.authorization.k8s.io"
resources:
@ -141,18 +157,11 @@ rules:
verbs:
- get
- create
- apiGroups:
- "rbac.authorization.k8s.io"
resources:
- clusterroles
verbs:
- bind
resourceNames:
- zalando-postgres-operator
# to CRUD cron jobs for logical backups
- apiGroups:
- batch
resources:
- cronjobs # enables logical backups
- cronjobs
verbs:
- create
- delete
@ -160,6 +169,7 @@ rules:
- list
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding