apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: operator.cdi.kubevirt.io: "" name: cdi-operator-cluster rules: - apiGroups: - rbac.authorization.k8s.io resources: - clusterrolebindings - clusterroles verbs: - get - list - watch - create - update - delete - apiGroups: - security.openshift.io resources: - securitycontextconstraints verbs: - get - list - watch - update - create - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions - customresourcedefinitions/status verbs: - get - list - watch - create - update - delete - apiGroups: - cdi.kubevirt.io - upload.cdi.kubevirt.io resources: - '*' verbs: - '*' - apiGroups: - admissionregistration.k8s.io resources: - validatingwebhookconfigurations - mutatingwebhookconfigurations verbs: - create - list - watch - apiGroups: - admissionregistration.k8s.io resourceNames: - cdi-api-dataimportcron-validate - cdi-api-populator-validate - cdi-api-datavolume-validate - cdi-api-validate - objecttransfer-api-validate resources: - validatingwebhookconfigurations verbs: - get - update - delete - apiGroups: - admissionregistration.k8s.io resourceNames: - cdi-api-datavolume-mutate - cdi-api-pvc-mutate resources: - mutatingwebhookconfigurations verbs: - get - update - delete - apiGroups: - apiregistration.k8s.io resources: - apiservices verbs: - get - list - watch - create - update - delete - apiGroups: - authorization.k8s.io resources: - subjectaccessreviews verbs: - create - apiGroups: - "" resources: - configmaps verbs: - get - list - watch - apiGroups: - "" resources: - persistentvolumeclaims verbs: - get - list - watch - apiGroups: - "" resources: - persistentvolumes verbs: - get - list - watch - apiGroups: - storage.k8s.io resources: - storageclasses verbs: - get - list - watch - apiGroups: - "" resources: - namespaces verbs: - get - apiGroups: - snapshot.storage.k8s.io resources: - volumesnapshots verbs: - get - list - watch - apiGroups: - cdi.kubevirt.io resources: - datavolumes verbs: - list - get - apiGroups: - cdi.kubevirt.io resources: - datasources verbs: - get - apiGroups: - cdi.kubevirt.io resources: - volumeclonesources verbs: - get - list - watch - apiGroups: - cdi.kubevirt.io resources: - storageprofiles verbs: - get - list - watch - apiGroups: - cdi.kubevirt.io resources: - cdis verbs: - get - list - watch - apiGroups: - cdi.kubevirt.io resources: - cdiconfigs verbs: - get - list - watch - apiGroups: - cdi.kubevirt.io resources: - cdis/finalizers verbs: - update - apiGroups: - "" resources: - events verbs: - create - patch - apiGroups: - "" resources: - persistentvolumeclaims verbs: - get - list - watch - create - update - delete - deletecollection - patch - apiGroups: - "" resources: - persistentvolumes verbs: - get - list - watch - update - apiGroups: - "" resources: - persistentvolumeclaims/finalizers - pods/finalizers verbs: - update - apiGroups: - "" resources: - pods - services verbs: - get - list - watch - create - delete - apiGroups: - "" resources: - configmaps verbs: - get - create - apiGroups: - storage.k8s.io resources: - storageclasses - csidrivers verbs: - get - list - watch - apiGroups: - config.openshift.io resources: - proxies - infrastructures verbs: - get - list - watch - apiGroups: - config.openshift.io resources: - clusterversions verbs: - get - apiGroups: - cdi.kubevirt.io resources: - '*' verbs: - '*' - apiGroups: - snapshot.storage.k8s.io resources: - volumesnapshots - volumesnapshotclasses - volumesnapshotcontents verbs: - get - list - watch - create - delete - apiGroups: - snapshot.storage.k8s.io resources: - volumesnapshots verbs: - update - deletecollection - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - get - list - watch - apiGroups: - scheduling.k8s.io resources: - priorityclasses verbs: - get - list - watch - apiGroups: - image.openshift.io resources: - imagestreams verbs: - get - list - watch - apiGroups: - "" resources: - secrets verbs: - create - apiGroups: - kubevirt.io resources: - virtualmachines/finalizers verbs: - update - apiGroups: - forklift.cdi.kubevirt.io resources: - ovirtvolumepopulators - openstackvolumepopulators verbs: - get - list - watch - apiGroups: - "" resources: - persistentvolumeclaims verbs: - get - apiGroups: - cdi.kubevirt.io resources: - dataimportcrons verbs: - get - list - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: operator.cdi.kubevirt.io: "" name: cdi-operator roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cdi-operator-cluster subjects: - kind: ServiceAccount name: cdi-operator namespace: {{ .Release.Namespace }} --- apiVersion: v1 kind: ServiceAccount metadata: labels: operator.cdi.kubevirt.io: "" name: cdi-operator namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: app: containerized-data-importer app.kubernetes.io/component: storage app.kubernetes.io/managed-by: cdi-operator cdi.kubevirt.io: "" name: cdi-operator namespace: {{ .Release.Namespace }} rules: - apiGroups: - rbac.authorization.k8s.io resources: - rolebindings - roles verbs: - get - list - watch - create - update - delete - apiGroups: - "" resources: - serviceaccounts - configmaps - events - secrets - services verbs: - get - list - watch - create - update - patch - delete - apiGroups: - apps resources: - deployments - deployments/finalizers verbs: - get - list - watch - create - update - delete - apiGroups: - route.openshift.io resources: - routes - routes/custom-host verbs: - get - list - watch - create - update - apiGroups: - config.openshift.io resources: - proxies verbs: - get - list - watch - apiGroups: - monitoring.coreos.com resources: - servicemonitors - prometheusrules verbs: - get - list - watch - create - delete - update - patch - apiGroups: - coordination.k8s.io resources: - leases verbs: - get - create - update - apiGroups: - "" resources: - secrets - configmaps verbs: - get - list - watch - create - apiGroups: - "" resources: - configmaps verbs: - get - list - watch - create - update - delete - apiGroups: - "" resources: - secrets verbs: - get - list - watch - apiGroups: - batch resources: - cronjobs verbs: - get - list - watch - create - update - deletecollection - apiGroups: - batch resources: - jobs verbs: - create - deletecollection - list - watch - apiGroups: - coordination.k8s.io resources: - leases verbs: - get - create - update - apiGroups: - networking.k8s.io resources: - ingresses verbs: - get - list - watch - apiGroups: - route.openshift.io resources: - routes verbs: - get - list - watch - apiGroups: - "" resources: - configmaps verbs: - get - apiGroups: - "" resources: - services - endpoints - pods verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: app: containerized-data-importer app.kubernetes.io/component: storage app.kubernetes.io/managed-by: cdi-operator cdi.kubevirt.io: "" name: cdi-operator namespace: {{ .Release.Namespace }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: cdi-operator subjects: - kind: ServiceAccount name: cdi-operator namespace: {{ .Release.Namespace }} --- apiVersion: apps/v1 kind: Deployment metadata: labels: cdi.kubevirt.io: cdi-operator name: cdi-operator operator.cdi.kubevirt.io: "" prometheus.cdi.kubevirt.io: "true" name: cdi-operator namespace: {{ .Release.Namespace }} spec: replicas: 1 selector: matchLabels: name: cdi-operator operator.cdi.kubevirt.io: "" strategy: {} template: metadata: labels: cdi.kubevirt.io: cdi-operator name: cdi-operator operator.cdi.kubevirt.io: "" prometheus.cdi.kubevirt.io: "true" spec: affinity: podAffinity: preferredDuringSchedulingIgnoredDuringExecution: - podAffinityTerm: labelSelector: matchExpressions: - key: cdi.kubevirt.io operator: In values: - cdi-operator topologyKey: kubernetes.io/hostname weight: 1 containers: - env: - name: DEPLOY_CLUSTER_RESOURCES value: "true" - name: OPERATOR_VERSION value: {{ .Values.deployment.version }} - name: CONTROLLER_IMAGE value: {{ .Values.deployment.controllerImage }}:{{ .Values.deployment.version }} - name: IMPORTER_IMAGE value: {{ .Values.deployment.importerImage }}:{{ .Values.deployment.version }} - name: CLONER_IMAGE value: {{ .Values.deployment.clonerImage }}:{{ .Values.deployment.version }} - name: OVIRT_POPULATOR_IMAGE value: {{ .Values.deployment.importerImage }}:{{ .Values.deployment.version }} - name: APISERVER_IMAGE value: {{ .Values.deployment.apiserverImage }}:{{ .Values.deployment.version }} - name: UPLOAD_SERVER_IMAGE value: {{ .Values.deployment.uploadserverImage }}:{{ .Values.deployment.version }} - name: UPLOAD_PROXY_IMAGE value: {{ .Values.deployment.uploadproxyImage }}:{{ .Values.deployment.version }} - name: VERBOSITY value: "1" - name: PULL_POLICY value: {{ .Values.deployment.pullPolicy }} - name: MONITORING_NAMESPACE image: {{ .Values.deployment.operatorImage }}:{{ .Values.deployment.version }} imagePullPolicy: {{ .Values.deployment.pullPolicy }} name: cdi-operator ports: - containerPort: 8080 name: metrics protocol: TCP resources: requests: cpu: 100m memory: 150Mi securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL runAsNonRoot: true seccompProfile: type: RuntimeDefault nodeSelector: kubernetes.io/os: linux securityContext: runAsNonRoot: true serviceAccountName: cdi-operator tolerations: - key: CriticalAddonsOnly operator: Exists