apiVersion: v1 kind: ServiceAccount metadata: name: zalando-postgres-operator namespace: default --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: zalando-postgres-operator rules: # all verbs allowed for custom operator resources - apiGroups: - acid.zalan.do resources: - postgresqls - postgresqls/status - operatorconfigurations verbs: - "*" # to create or get/update CRDs when starting up - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - create - get - patch - update # to read configuration from ConfigMaps - apiGroups: - "" resources: - configmaps verbs: - get # to manage endpoints which are also used by Patroni - apiGroups: - "" resources: - endpoints verbs: - create - delete - deletecollection - get - list - patch - watch # needed if zalando-postgres-operator account is used for pods as well # to CRUD secrets for database access - apiGroups: - "" resources: - secrets verbs: - create - update - delete - get # to check nodes for node readiness label - apiGroups: - "" resources: - nodes verbs: - get - list - watch # to read or delete existing PVCs. Creation via StatefulSet - apiGroups: - "" resources: - persistentvolumeclaims verbs: - delete - get - list # to read existing PVs. Creation should be done via dynamic provisioning - apiGroups: - "" resources: - persistentvolumes verbs: - get - list - update # only for resizing AWS volumes # to watch Spilo pods and do rolling updates. Creation via StatefulSet - apiGroups: - "" resources: - pods verbs: - delete - get - list - watch - patch # to resize the filesystem in Spilo pods when increasing volume size - apiGroups: - "" resources: - pods/exec verbs: - create # to CRUD services to point to Postgres cluster instances - apiGroups: - "" resources: - services verbs: - create - delete - get - patch # to CRUD the StatefulSet which controls the Postgres cluster instances - apiGroups: - apps resources: - statefulsets verbs: - create - delete - get - list - patch # to get namespaces operator resources can run in - apiGroups: - "" resources: - namespaces verbs: - get # to define PDBs. Update happens via delete/create - apiGroups: - policy resources: - poddisruptionbudgets verbs: - create - delete - get # to create ServiceAccounts in each namespace the operator watches - apiGroups: - "" resources: - serviceaccounts verbs: - get - create # to create role bindings to the operator service account - apiGroups: - "rbac.authorization.k8s.io" resources: - rolebindings verbs: - get - create # to CRUD cron jobs for logical backups - apiGroups: - batch resources: - cronjobs verbs: - create - delete - get - list - patch - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: zalando-postgres-operator roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: zalando-postgres-operator subjects: - kind: ServiceAccount # note: the cluster role binding needs to be defined # for every namespace the operator service account lives in. name: zalando-postgres-operator namespace: default