[templates] Add RBAC ClusterRoles for module CRDs (astef-prototype)

templates/rbac-for-us.yaml

@@ -0,0 +1,42 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: d8:sds-replicated-volume:admin-kubeconfig
+  {{- include "helm_lib_module_labels" (list .) | nindent 2 }}
+rules:
+- apiGroups:
+  - storage.deckhouse.io
+  resources:
+  - drbdmappers
+  - drbdnodeoperations
+  - drbdresourceoperations
+  - drbdresources
+  - replicatedstorageclasses
+  - replicatedstoragepools
+  - replicatedvolumeattachments
+  - replicatedvolumereplicas
+  - replicatedvolumes
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - delete
+  - deletecollection
+  - patch
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: d8:sds-replicated-volume:admin-kubeconfig
+  {{- include "helm_lib_module_labels" (list .) | nindent 2 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: d8:sds-replicated-volume:admin-kubeconfig
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: kubeadm:cluster-admins

templates/rbacv2/manage/edit.yaml

@@ -0,0 +1,30 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    heritage: deckhouse
+    module: sds-replicated-volume
+    rbac.deckhouse.io/aggregate-to-storage-as: manager
+    rbac.deckhouse.io/kind: manage
+    rbac.deckhouse.io/level: module
+    rbac.deckhouse.io/namespace: d8-sds-replicated-volume
+  name: d8:manage:permission:module:sds-replicated-volume:edit
+rules:
+- apiGroups:
+  - storage.deckhouse.io
+  resources:
+  - drbdmappers
+  - drbdnodeoperations
+  - drbdresourceoperations
+  - drbdresources
+  - replicatedstorageclasses
+  - replicatedstoragepools
+  - replicatedvolumeattachments
+  - replicatedvolumereplicas
+  - replicatedvolumes
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - patch
+  - update

templates/rbacv2/manage/view.yaml

@@ -0,0 +1,28 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    heritage: deckhouse
+    module: sds-replicated-volume
+    rbac.deckhouse.io/aggregate-to-storage-as: viewer
+    rbac.deckhouse.io/kind: manage
+    rbac.deckhouse.io/level: module
+    rbac.deckhouse.io/namespace: d8-sds-replicated-volume
+  name: d8:manage:permission:module:sds-replicated-volume:view
+rules:
+- apiGroups:
+  - storage.deckhouse.io
+  resources:
+  - drbdmappers
+  - drbdnodeoperations
+  - drbdresourceoperations
+  - drbdresources
+  - replicatedstorageclasses
+  - replicatedstoragepools
+  - replicatedvolumeattachments
+  - replicatedvolumereplicas
+  - replicatedvolumes
+  verbs:
+  - get
+  - list
+  - watch

templates/user-authz-cluster-roles.yaml

@@ -0,0 +1,52 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    user-authz.deckhouse.io/access-level: User
+  name: d8:user-authz:sds-replicated-volume:user
+  {{- include "helm_lib_module_labels" (list .) | nindent 2 }}
+rules:
+- apiGroups:
+  - storage.deckhouse.io
+  resources:
+  - drbdmappers
+  - drbdnodeoperations
+  - drbdresourceoperations
+  - drbdresources
+  - replicatedstorageclasses
+  - replicatedstoragepools
+  - replicatedvolumeattachments
+  - replicatedvolumereplicas
+  - replicatedvolumes
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    user-authz.deckhouse.io/access-level: ClusterEditor
+  name: d8:user-authz:sds-replicated-volume:cluster-editor
+  {{- include "helm_lib_module_labels" (list .) | nindent 2 }}
+rules:
+- apiGroups:
+  - storage.deckhouse.io
+  resources:
+  - drbdmappers
+  - drbdnodeoperations
+  - drbdresourceoperations
+  - drbdresources
+  - replicatedstorageclasses
+  - replicatedstoragepools
+  - replicatedvolumeattachments
+  - replicatedvolumereplicas
+  - replicatedvolumes
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - patch
+  - update