Felix Kunde
GitHub
parent
97e0d6d388
commit
629feac98f
|
|
@ -10,6 +10,7 @@ kind: ClusterRole
|
|||
metadata:
|
||||
name: zalando-postgres-operator
|
||||
rules:
|
||||
# all verbs allowed for custom operator resources
|
||||
- apiGroups:
|
||||
- acid.zalan.do
|
||||
resources:
|
||||
|
|
@ -18,6 +19,7 @@ rules:
|
|||
- operatorconfigurations
|
||||
verbs:
|
||||
- "*"
|
||||
# to create or get/update CRDs when starting up
|
||||
- apiGroups:
|
||||
- apiextensions.k8s.io
|
||||
resources:
|
||||
|
|
@ -27,12 +29,14 @@ rules:
|
|||
- get
|
||||
- patch
|
||||
- update
|
||||
# to read configuration from ConfigMaps
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- configmaps
|
||||
verbs:
|
||||
- get
|
||||
# to manage endpoints which are also used by Patroni
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
|
|
@ -45,6 +49,7 @@ rules:
|
|||
- list
|
||||
- patch
|
||||
- watch # needed if zalando-postgres-operator account is used for pods as well
|
||||
# to CRUD secrets for database access
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
|
|
@ -54,6 +59,7 @@ rules:
|
|||
- update
|
||||
- delete
|
||||
- get
|
||||
# to check nodes for node readiness label
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
|
|
@ -62,6 +68,7 @@ rules:
|
|||
- get
|
||||
- list
|
||||
- watch
|
||||
# to read or delete existing PVCs. Creation via StatefulSet
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
|
|
@ -70,6 +77,7 @@ rules:
|
|||
- delete
|
||||
- get
|
||||
- list
|
||||
# to read existing PVs. Creation should be done via dynamic provisioning
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
|
|
@ -78,6 +86,7 @@ rules:
|
|||
- get
|
||||
- list
|
||||
- update # only for resizing AWS volumes
|
||||
# to watch Spilo pods and do rolling updates. Creation via StatefulSet
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
|
|
@ -88,12 +97,14 @@ rules:
|
|||
- list
|
||||
- watch
|
||||
- patch
|
||||
# to resize the filesystem in Spilo pods when increasing volume size
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- pods/exec
|
||||
verbs:
|
||||
- create
|
||||
# to CRUD services to point to Postgres cluster instances
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
|
|
@ -103,6 +114,7 @@ rules:
|
|||
- delete
|
||||
- get
|
||||
- patch
|
||||
# to CRUD the StatefulSet which controls the Postgres cluster instances
|
||||
- apiGroups:
|
||||
- apps
|
||||
resources:
|
||||
|
|
@ -113,12 +125,14 @@ rules:
|
|||
- get
|
||||
- list
|
||||
- patch
|
||||
# to get namespaces operator resources can run in
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- namespaces
|
||||
verbs:
|
||||
- get
|
||||
# to define PDBs. Update happens via delete/create
|
||||
- apiGroups:
|
||||
- policy
|
||||
resources:
|
||||
|
|
@ -127,6 +141,7 @@ rules:
|
|||
- create
|
||||
- delete
|
||||
- get
|
||||
# to create ServiceAccounts in each namespace the operator watches
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
|
|
@ -134,6 +149,7 @@ rules:
|
|||
verbs:
|
||||
- get
|
||||
- create
|
||||
# to create role bindings to the operator service account
|
||||
- apiGroups:
|
||||
- "rbac.authorization.k8s.io"
|
||||
resources:
|
||||
|
|
@ -141,18 +157,11 @@ rules:
|
|||
verbs:
|
||||
- get
|
||||
- create
|
||||
- apiGroups:
|
||||
- "rbac.authorization.k8s.io"
|
||||
resources:
|
||||
- clusterroles
|
||||
verbs:
|
||||
- bind
|
||||
resourceNames:
|
||||
- zalando-postgres-operator
|
||||
# to CRUD cron jobs for logical backups
|
||||
- apiGroups:
|
||||
- batch
|
||||
resources:
|
||||
- cronjobs # enables logical backups
|
||||
- cronjobs
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
|
|
@ -160,6 +169,7 @@ rules:
|
|||
- list
|
||||
- patch
|
||||
- update
|
||||
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
|
|
|
|||
Loading…
Reference in New Issue