Merge pull request #443 from mpatlasov/OCPBUGS-62802-Add-RBAC-permissions-for-secrets-and-nodes

openshift-merge-bot[bot] · web-flow · commit 9816f9223f6a · 2025-10-24T11:32:47.000Z
OCPBUGS-62802: Add RBAC ClusterRole and Binding for driver node
diff --git a/assets/overlays/azure-disk/base/node_driver_binding.yaml b/assets/overlays/azure-disk/base/node_driver_binding.yaml
@@ -0,0 +1,12 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: azure-disk-csi-driver-node-clusterrolebinding
+subjects:
+  - kind: ServiceAccount
+    name: azure-disk-csi-driver-node-sa
+    namespace: ${NODE_NAMESPACE}
+roleRef:
+  kind: ClusterRole
+  name: azure-disk-csi-driver-node-clusterrole
+  apiGroup: rbac.authorization.k8s.io
diff --git a/assets/overlays/azure-disk/base/node_driver_role.yaml b/assets/overlays/azure-disk/base/node_driver_role.yaml
@@ -0,0 +1,11 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: azure-disk-csi-driver-node-clusterrole
+rules:
+  # Upstream has a rule to get secrets here (https://github.com/kubernetes-sigs/azuredisk-csi-driver/blob/release-1.29/deploy/v1.29.0/rbac-csi-azuredisk-node.yaml),
+  # but OCP doesn't. Such a rule is too broad, it gives the driver access to all secrets in the cluster. The OCP environment must be properly configured,
+  # so fallback to get secrets with this rule is never needed.
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get"]
diff --git a/assets/overlays/azure-disk/generated/hypershift/manifests.yaml b/assets/overlays/azure-disk/generated/hypershift/manifests.yaml
@@ -13,6 +13,8 @@ guestStaticAssetNames:
 - main_resizer_binding.yaml
 - main_snapshotter_binding.yaml
 - node.yaml
+- node_driver_binding.yaml
+- node_driver_role.yaml
 - node_kube_rbac_proxy_binding.yaml
 - node_kube_rbac_proxy_role.yaml
 - node_privileged_binding.yaml
diff --git a/assets/overlays/azure-disk/generated/hypershift/node_driver_binding.yaml b/assets/overlays/azure-disk/generated/hypershift/node_driver_binding.yaml
@@ -0,0 +1,18 @@
+# Generated file. Do not edit. Update using "make update".
+#
+# Loaded from overlays/azure-disk/base/node_driver_binding.yaml
+#
+#
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: azure-disk-csi-driver-node-clusterrolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: azure-disk-csi-driver-node-clusterrole
+subjects:
+- kind: ServiceAccount
+  name: azure-disk-csi-driver-node-sa
+  namespace: ${NODE_NAMESPACE}
diff --git a/assets/overlays/azure-disk/generated/hypershift/node_driver_role.yaml b/assets/overlays/azure-disk/generated/hypershift/node_driver_role.yaml
@@ -0,0 +1,17 @@
+# Generated file. Do not edit. Update using "make update".
+#
+# Loaded from overlays/azure-disk/base/node_driver_role.yaml
+#
+#
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: azure-disk-csi-driver-node-clusterrole
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
diff --git a/assets/overlays/azure-disk/generated/standalone/manifests.yaml b/assets/overlays/azure-disk/generated/standalone/manifests.yaml
@@ -18,6 +18,8 @@ guestStaticAssetNames:
 - main_resizer_binding.yaml
 - main_snapshotter_binding.yaml
 - node.yaml
+- node_driver_binding.yaml
+- node_driver_role.yaml
 - node_kube_rbac_proxy_binding.yaml
 - node_kube_rbac_proxy_role.yaml
 - node_privileged_binding.yaml
diff --git a/assets/overlays/azure-disk/generated/standalone/node_driver_binding.yaml b/assets/overlays/azure-disk/generated/standalone/node_driver_binding.yaml
@@ -0,0 +1,18 @@
+# Generated file. Do not edit. Update using "make update".
+#
+# Loaded from overlays/azure-disk/base/node_driver_binding.yaml
+#
+#
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: azure-disk-csi-driver-node-clusterrolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: azure-disk-csi-driver-node-clusterrole
+subjects:
+- kind: ServiceAccount
+  name: azure-disk-csi-driver-node-sa
+  namespace: ${NODE_NAMESPACE}
diff --git a/assets/overlays/azure-disk/generated/standalone/node_driver_role.yaml b/assets/overlays/azure-disk/generated/standalone/node_driver_role.yaml
@@ -0,0 +1,17 @@
+# Generated file. Do not edit. Update using "make update".
+#
+# Loaded from overlays/azure-disk/base/node_driver_role.yaml
+#
+#
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: azure-disk-csi-driver-node-clusterrole
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
diff --git a/pkg/driver/azure-disk/azure_disk.go b/pkg/driver/azure-disk/azure_disk.go
@@ -131,6 +131,8 @@ func GetAzureDiskGeneratorConfig() *generator.CSIDriverGeneratorConfig {
 				"overlays/azure-disk/base/csidriver.yaml",
 				"overlays/azure-disk/base/storageclass.yaml",
 				"overlays/azure-disk/base/volumesnapshotclass.yaml",
+				"overlays/azure-disk/base/node_driver_role.yaml",
+				"overlays/azure-disk/base/node_driver_binding.yaml",
 			),
 		},
 	}

Original file line number	Diff line number	Diff line change
`@@ -131,6 +131,8 @@ func GetAzureDiskGeneratorConfig() *generator.CSIDriverGeneratorConfig {`
`131`	`131`	`"overlays/azure-disk/base/csidriver.yaml",`
`132`	`132`	`"overlays/azure-disk/base/storageclass.yaml",`
`133`	`133`	`"overlays/azure-disk/base/volumesnapshotclass.yaml",`
	`134`	`+ "overlays/azure-disk/base/node_driver_role.yaml",`
	`135`	`+ "overlays/azure-disk/base/node_driver_binding.yaml",`
`134`	`136`	`),`
`135`	`137`	`},`
`136`	`138`	`}`