Skip to content

Commit 629feac

Browse files
FxKuFxKu
authored
Remove bind verb and explain privileges (zalando#765)
Closes zalando#256
1 parent 97e0d6d commit 629feac

File tree

1 file changed

+19
-9
lines changed

1 file changed

+19
-9
lines changed

manifests/operator-service-account-rbac.yaml

Lines changed: 19 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@ kind: ClusterRole
1010
metadata:
1111
name: zalando-postgres-operator
1212
rules:
13+
# all verbs allowed for custom operator resources
1314
- apiGroups:
1415
- acid.zalan.do
1516
resources:
@@ -18,6 +19,7 @@ rules:
1819
- operatorconfigurations
1920
verbs:
2021
- "*"
22+
# to create or get/update CRDs when starting up
2123
- apiGroups:
2224
- apiextensions.k8s.io
2325
resources:
@@ -27,12 +29,14 @@ rules:
2729
- get
2830
- patch
2931
- update
32+
# to read configuration from ConfigMaps
3033
- apiGroups:
3134
- ""
3235
resources:
3336
- configmaps
3437
verbs:
3538
- get
39+
# to manage endpoints which are also used by Patroni
3640
- apiGroups:
3741
- ""
3842
resources:
@@ -45,6 +49,7 @@ rules:
4549
- list
4650
- patch
4751
- watch # needed if zalando-postgres-operator account is used for pods as well
52+
# to CRUD secrets for database access
4853
- apiGroups:
4954
- ""
5055
resources:
@@ -54,6 +59,7 @@ rules:
5459
- update
5560
- delete
5661
- get
62+
# to check nodes for node readiness label
5763
- apiGroups:
5864
- ""
5965
resources:
@@ -62,6 +68,7 @@ rules:
6268
- get
6369
- list
6470
- watch
71+
# to read or delete existing PVCs. Creation via StatefulSet
6572
- apiGroups:
6673
- ""
6774
resources:
@@ -70,6 +77,7 @@ rules:
7077
- delete
7178
- get
7279
- list
80+
# to read existing PVs. Creation should be done via dynamic provisioning
7381
- apiGroups:
7482
- ""
7583
resources:
@@ -78,6 +86,7 @@ rules:
7886
- get
7987
- list
8088
- update # only for resizing AWS volumes
89+
# to watch Spilo pods and do rolling updates. Creation via StatefulSet
8190
- apiGroups:
8291
- ""
8392
resources:
@@ -88,12 +97,14 @@ rules:
8897
- list
8998
- watch
9099
- patch
100+
# to resize the filesystem in Spilo pods when increasing volume size
91101
- apiGroups:
92102
- ""
93103
resources:
94104
- pods/exec
95105
verbs:
96106
- create
107+
# to CRUD services to point to Postgres cluster instances
97108
- apiGroups:
98109
- ""
99110
resources:
@@ -103,6 +114,7 @@ rules:
103114
- delete
104115
- get
105116
- patch
117+
# to CRUD the StatefulSet which controls the Postgres cluster instances
106118
- apiGroups:
107119
- apps
108120
resources:
@@ -113,12 +125,14 @@ rules:
113125
- get
114126
- list
115127
- patch
128+
# to get namespaces operator resources can run in
116129
- apiGroups:
117130
- ""
118131
resources:
119132
- namespaces
120133
verbs:
121134
- get
135+
# to define PDBs. Update happens via delete/create
122136
- apiGroups:
123137
- policy
124138
resources:
@@ -127,39 +141,35 @@ rules:
127141
- create
128142
- delete
129143
- get
144+
# to create ServiceAccounts in each namespace the operator watches
130145
- apiGroups:
131146
- ""
132147
resources:
133148
- serviceaccounts
134149
verbs:
135150
- get
136151
- create
152+
# to create role bindings to the operator service account
137153
- apiGroups:
138154
- "rbac.authorization.k8s.io"
139155
resources:
140156
- rolebindings
141157
verbs:
142158
- get
143159
- create
144-
- apiGroups:
145-
- "rbac.authorization.k8s.io"
146-
resources:
147-
- clusterroles
148-
verbs:
149-
- bind
150-
resourceNames:
151-
- zalando-postgres-operator
160+
# to CRUD cron jobs for logical backups
152161
- apiGroups:
153162
- batch
154163
resources:
155-
- cronjobs # enables logical backups
164+
- cronjobs
156165
verbs:
157166
- create
158167
- delete
159168
- get
160169
- list
161170
- patch
162171
- update
172+
163173
---
164174
apiVersion: rbac.authorization.k8s.io/v1
165175
kind: ClusterRoleBinding

0 commit comments

Comments
 (0)