287 lines
4.6 KiB
YAML
287 lines
4.6 KiB
YAML
|
apiVersion: v1
|
||
|
kind: ServiceAccount
|
||
|
metadata:
|
||
|
name: postgres-operator
|
||
|
---
|
||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||
|
kind: ClusterRole
|
||
|
metadata:
|
||
|
name: postgres-operator
|
||
|
rules:
|
||
|
# all verbs allowed for custom operator resources
|
||
|
- apiGroups:
|
||
|
- acid.zalan.do
|
||
|
resources:
|
||
|
- postgresqls
|
||
|
- postgresqls/status
|
||
|
- operatorconfigurations
|
||
|
verbs:
|
||
|
- create
|
||
|
- delete
|
||
|
- deletecollection
|
||
|
- get
|
||
|
- list
|
||
|
- patch
|
||
|
- update
|
||
|
- watch
|
||
|
# operator only reads PostgresTeams
|
||
|
- apiGroups:
|
||
|
- acid.zalan.do
|
||
|
resources:
|
||
|
- postgresteams
|
||
|
verbs:
|
||
|
- get
|
||
|
- list
|
||
|
- watch
|
||
|
# all verbs allowed for event streams (Zalando-internal feature)
|
||
|
# - apiGroups:
|
||
|
# - zalando.org
|
||
|
# resources:
|
||
|
# - fabriceventstreams
|
||
|
# verbs:
|
||
|
# - create
|
||
|
# - delete
|
||
|
# - deletecollection
|
||
|
# - get
|
||
|
# - list
|
||
|
# - patch
|
||
|
# - update
|
||
|
# - watch
|
||
|
# to create or get/update CRDs when starting up
|
||
|
- apiGroups:
|
||
|
- apiextensions.k8s.io
|
||
|
resources:
|
||
|
- customresourcedefinitions
|
||
|
verbs:
|
||
|
- create
|
||
|
- get
|
||
|
- patch
|
||
|
- update
|
||
|
# to read configuration from ConfigMaps
|
||
|
- apiGroups:
|
||
|
- ""
|
||
|
resources:
|
||
|
- configmaps
|
||
|
verbs:
|
||
|
- get
|
||
|
# to send events to the CRs
|
||
|
- apiGroups:
|
||
|
- ""
|
||
|
resources:
|
||
|
- events
|
||
|
verbs:
|
||
|
- create
|
||
|
- get
|
||
|
- list
|
||
|
- patch
|
||
|
- update
|
||
|
- watch
|
||
|
# to manage endpoints which are also used by Patroni
|
||
|
- apiGroups:
|
||
|
- ""
|
||
|
resources:
|
||
|
- endpoints
|
||
|
verbs:
|
||
|
- create
|
||
|
- delete
|
||
|
- deletecollection
|
||
|
- get
|
||
|
- list
|
||
|
- patch
|
||
|
- update
|
||
|
- watch
|
||
|
# to CRUD secrets for database access
|
||
|
- apiGroups:
|
||
|
- ""
|
||
|
resources:
|
||
|
- secrets
|
||
|
verbs:
|
||
|
- create
|
||
|
- delete
|
||
|
- get
|
||
|
- update
|
||
|
# to check nodes for node readiness label
|
||
|
- apiGroups:
|
||
|
- ""
|
||
|
resources:
|
||
|
- nodes
|
||
|
verbs:
|
||
|
- get
|
||
|
- list
|
||
|
- watch
|
||
|
# to read or delete existing PVCs. Creation via StatefulSet
|
||
|
- apiGroups:
|
||
|
- ""
|
||
|
resources:
|
||
|
- persistentvolumeclaims
|
||
|
verbs:
|
||
|
- delete
|
||
|
- get
|
||
|
- list
|
||
|
- patch
|
||
|
- update
|
||
|
# to read existing PVs. Creation should be done via dynamic provisioning
|
||
|
- apiGroups:
|
||
|
- ""
|
||
|
resources:
|
||
|
- persistentvolumes
|
||
|
verbs:
|
||
|
- get
|
||
|
- list
|
||
|
- update # only for resizing AWS volumes
|
||
|
# to watch Spilo pods and do rolling updates. Creation via StatefulSet
|
||
|
- apiGroups:
|
||
|
- ""
|
||
|
resources:
|
||
|
- pods
|
||
|
verbs:
|
||
|
- delete
|
||
|
- get
|
||
|
- list
|
||
|
- patch
|
||
|
- update
|
||
|
- watch
|
||
|
# to resize the filesystem in Spilo pods when increasing volume size
|
||
|
- apiGroups:
|
||
|
- ""
|
||
|
resources:
|
||
|
- pods/exec
|
||
|
verbs:
|
||
|
- create
|
||
|
# to CRUD services to point to Postgres cluster instances
|
||
|
- apiGroups:
|
||
|
- ""
|
||
|
resources:
|
||
|
- services
|
||
|
verbs:
|
||
|
- create
|
||
|
- delete
|
||
|
- get
|
||
|
- patch
|
||
|
- update
|
||
|
# to CRUD the StatefulSet which controls the Postgres cluster instances
|
||
|
- apiGroups:
|
||
|
- apps
|
||
|
resources:
|
||
|
- statefulsets
|
||
|
- deployments
|
||
|
verbs:
|
||
|
- create
|
||
|
- delete
|
||
|
- get
|
||
|
- list
|
||
|
- patch
|
||
|
# to CRUD cron jobs for logical backups
|
||
|
- apiGroups:
|
||
|
- batch
|
||
|
resources:
|
||
|
- cronjobs
|
||
|
verbs:
|
||
|
- create
|
||
|
- delete
|
||
|
- get
|
||
|
- list
|
||
|
- patch
|
||
|
- update
|
||
|
# to get namespaces operator resources can run in
|
||
|
- apiGroups:
|
||
|
- ""
|
||
|
resources:
|
||
|
- namespaces
|
||
|
verbs:
|
||
|
- get
|
||
|
# to define PDBs. Update happens via delete/create
|
||
|
- apiGroups:
|
||
|
- policy
|
||
|
resources:
|
||
|
- poddisruptionbudgets
|
||
|
verbs:
|
||
|
- create
|
||
|
- delete
|
||
|
- get
|
||
|
# to create ServiceAccounts in each namespace the operator watches
|
||
|
- apiGroups:
|
||
|
- ""
|
||
|
resources:
|
||
|
- serviceaccounts
|
||
|
verbs:
|
||
|
- get
|
||
|
- create
|
||
|
# to create role bindings to the postgres-pod service account
|
||
|
- apiGroups:
|
||
|
- rbac.authorization.k8s.io
|
||
|
resources:
|
||
|
- rolebindings
|
||
|
verbs:
|
||
|
- get
|
||
|
- create
|
||
|
# to grant privilege to run privileged pods (not needed by default)
|
||
|
#- apiGroups:
|
||
|
# - extensions
|
||
|
# resources:
|
||
|
# - podsecuritypolicies
|
||
|
# resourceNames:
|
||
|
# - privileged
|
||
|
# verbs:
|
||
|
# - use
|
||
|
|
||
|
---
|
||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||
|
kind: ClusterRoleBinding
|
||
|
metadata:
|
||
|
name: postgres-operator
|
||
|
roleRef:
|
||
|
apiGroup: rbac.authorization.k8s.io
|
||
|
kind: ClusterRole
|
||
|
name: postgres-operator
|
||
|
subjects:
|
||
|
- kind: ServiceAccount
|
||
|
name: postgres-operator
|
||
|
---
|
||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||
|
kind: ClusterRole
|
||
|
metadata:
|
||
|
name: postgres-pod
|
||
|
rules:
|
||
|
# Patroni needs to watch and manage endpoints
|
||
|
- apiGroups:
|
||
|
- ""
|
||
|
resources:
|
||
|
- endpoints
|
||
|
verbs:
|
||
|
- create
|
||
|
- delete
|
||
|
- deletecollection
|
||
|
- get
|
||
|
- list
|
||
|
- patch
|
||
|
- update
|
||
|
- watch
|
||
|
# Patroni needs to watch pods
|
||
|
- apiGroups:
|
||
|
- ""
|
||
|
resources:
|
||
|
- pods
|
||
|
verbs:
|
||
|
- get
|
||
|
- list
|
||
|
- patch
|
||
|
- update
|
||
|
- watch
|
||
|
# to let Patroni create a headless service
|
||
|
- apiGroups:
|
||
|
- ""
|
||
|
resources:
|
||
|
- services
|
||
|
verbs:
|
||
|
- create
|
||
|
# to grant privilege to run privileged pods (not needed by default)
|
||
|
#- apiGroups:
|
||
|
# - extensions
|
||
|
# resources:
|
||
|
# - podsecuritypolicies
|
||
|
# resourceNames:
|
||
|
# - privileged
|
||
|
# verbs:
|
||
|
# - use
|