# The main role for the operator apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: mysql-operator rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "list", "watch", "patch"] - apiGroups: [""] resources: ["pods/status"] verbs: ["get", "patch", "update", "watch"] # Kopf needs patch on secrets or the sidecar will throw # The operator needs this verb to be able to pass it to the sidecar - apiGroups: [""] resources: ["secrets"] verbs: ["get", "create", "list", "watch", "patch"] - apiGroups: [""] resources: ["configmaps"] verbs: ["get", "create", "update", "list", "watch", "patch", "delete"] - apiGroups: [""] resources: ["services"] verbs: ["get", "create", "list", "update", "delete", "patch"] - apiGroups: [""] resources: ["serviceaccounts"] verbs: ["get", "create", "patch"] - apiGroups: [""] resources: ["events"] verbs: ["create", "patch", "update"] - apiGroups: ["rbac.authorization.k8s.io"] resources: ["rolebindings"] verbs: ["get", "create"] - apiGroups: ["policy"] resources: ["poddisruptionbudgets"] verbs: ["get", "create"] - apiGroups: ["batch"] resources: ["jobs"] verbs: ["create"] - apiGroups: ["batch"] resources: ["cronjobs"] verbs: ["get", "create", "update", "delete"] - apiGroups: ["apps"] resources: ["deployments", "statefulsets"] verbs: ["get", "create", "patch", "update", "watch", "delete"] - apiGroups: ["mysql.oracle.com"] resources: ["*"] verbs: ["*"] - apiGroups: ["zalando.org"] resources: ["*"] verbs: ["get", "patch", "list", "watch"] # Kopf: runtime observation of namespaces & CRDs (addition/deletion). - apiGroups: [apiextensions.k8s.io] resources: [customresourcedefinitions] verbs: [list, watch] - apiGroups: [""] resources: [namespaces] verbs: [list, watch] - apiGroups: ["monitoring.coreos.com"] resources: ["servicemonitors"] verbs: ["get", "create", "patch", "update", "delete"] --- # role for the server sidecar apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: mysql-sidecar rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "list", "watch", "patch"] - apiGroups: [""] resources: ["pods/status"] verbs: ["get", "patch", "update", "watch"] # Kopf needs patch on secrets or the sidecar will throw - apiGroups: [""] resources: ["secrets"] verbs: ["get", "create", "list", "watch", "patch"] - apiGroups: [""] resources: ["configmaps"] verbs: ["get", "create", "list", "watch", "patch"] - apiGroups: [""] resources: ["services"] verbs: ["get", "create", "list", "update"] - apiGroups: [""] resources: ["serviceaccounts"] verbs: ["get", "create"] - apiGroups: [""] resources: ["events"] verbs: ["create", "patch", "update"] - apiGroups: ["apps"] resources: ["deployments"] verbs: ["get", "patch"] - apiGroups: ["mysql.oracle.com"] resources: ["innodbclusters"] verbs: ["get", "watch", "list"] - apiGroups: ["mysql.oracle.com"] resources: ["mysqlbackups"] verbs: ["create", "get", "list", "patch", "update", "watch", "delete"] - apiGroups: ["mysql.oracle.com"] resources: ["mysqlbackups/status"] verbs: ["get", "patch", "update", "watch"] --- # Give access to the operator apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: mysql-operator-rolebinding subjects: - kind: ServiceAccount name: mysql-operator-sa namespace: mysql-operator # TODO The following entry is for dev purposes only #- kind: Group # name: system:serviceaccounts # apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: mysql-operator apiGroup: rbac.authorization.k8s.io --- apiVersion: zalando.org/v1 kind: ClusterKopfPeering metadata: name: mysql-operator --- apiVersion: v1 kind: Namespace metadata: name: mysql-operator --- apiVersion: v1 kind: ServiceAccount metadata: name: mysql-operator-sa namespace: mysql-operator --- apiVersion: apps/v1 kind: Deployment metadata: name: mysql-operator namespace: mysql-operator labels: version: "1.0" app.kubernetes.io/name: mysql-operator app.kubernetes.io/instance: mysql-operator app.kubernetes.io/version: 9.1.0-2.2.2 app.kubernetes.io/component: controller app.kubernetes.io/managed-by: mysql-operator app.kubernetes.io/created-by: mysql-operator spec: replicas: 1 selector: matchLabels: name: mysql-operator template: metadata: labels: name: mysql-operator spec: securityContext: runAsNonRoot: true containers: - name: mysql-operator image: container-registry.oracle.com/mysql/community-operator:9.1.0-2.2.2 imagePullPolicy: IfNotPresent args: [ "mysqlsh", "--log-level=@INFO", "--pym", "mysqloperator", "operator", ] env: - name: MYSQLSH_USER_CONFIG_HOME value: /mysqlsh - name: MYSQLSH_CREDENTIAL_STORE_SAVE_PASSWORDS value: never readinessProbe: exec: command: - cat - /tmp/mysql-operator-ready initialDelaySeconds: 1 periodSeconds: 3 volumeMounts: - name: mysqlsh-home mountPath: /mysqlsh - name: tmpdir mountPath: /tmp securityContext: capabilities: drop: - ALL runAsUser: 2 allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true runAsNonRoot: true volumes: - name: mysqlsh-home emptyDir: {} - name: tmpdir emptyDir: {} serviceAccountName: mysql-operator-sa