Merge pull request #66 from DrFaust92:node-ebac

align rbac with chart

csi_rbac.tf

@@ -67,6 +67,12 @@ resource "kubernetes_cluster_role" "provisioner" {
     resources  = ["leases"]
     verbs      = ["get", "watch", "list", "delete", "update", "create"]
   }
+
+  rule {
+    api_groups = ["storage.k8s.io"]
+    resources  = ["volumeattachments"]
+    verbs      = ["get", "list", "watch"]
+  }
 }
 
 resource "kubernetes_cluster_role_binding" "provisioner" {
@@ -166,17 +172,24 @@ resource "kubernetes_cluster_role" "resizer" {
     verbs      = ["update", "patch"]
   }
 
+
   rule {
-    api_groups = [""]
-    resources  = ["pods"]
-    verbs      = ["get", "list", "watch"]
+    api_groups = ["storage.k8s.io"]
+    resources  = ["storageclasses"]
+    verbs      = ["list", "watch", "create", "update", "patch"]
   }
 
   rule {
     api_groups = [""]
     resources  = ["events"]
     verbs      = ["list", "watch", "create", "update", "patch"]
   }
+
+  rule {
+    api_groups = [""]
+    resources  = ["pods"]
+    verbs      = ["get", "list", "watch"]
+  }
 }
 
 resource "kubernetes_cluster_role_binding" "resizer" {
@@ -224,48 +237,6 @@ resource "kubernetes_cluster_role" "snapshotter" {
     resources  = ["volumesnapshotclasses"]
     verbs      = ["get", "list", "watch"]
   }
-
-  rule {
-    api_groups = [""]
-    resources  = ["secrets"]
-    verbs      = ["get", "list"]
-  }
-
-  rule {
-    api_groups = [""]
-    resources  = ["events"]
-    verbs      = ["list", "watch", "create", "update", "patch"]
-  }
-
-  rule {
-    api_groups = [""]
-    resources  = ["persistentvolumes"]
-    verbs      = ["get", "list", "watch", "update", "patch"]
-  }
-
-  rule {
-    api_groups = [""]
-    resources  = ["persistentvolumeclaims"]
-    verbs      = ["get", "list", "watch"]
-  }
-
-  rule {
-    api_groups = [""]
-    resources  = ["persistentvolumeclaims/status"]
-    verbs      = ["update", "patch"]
-  }
-
-  rule {
-    api_groups = ["storage.k8s.io"]
-    resources  = ["storageclasses"]
-    verbs      = ["get", "list", "watch"]
-  }
-
-  rule {
-    api_groups = [""]
-    resources  = ["events"]
-    verbs      = ["list", "watch", "create", "update", "patch"]
-  }
 }
 
 resource "kubernetes_cluster_role_binding" "snapshotter" {

locals.tf

@@ -1,6 +1,6 @@
 locals {
   ebs_csi_driver_version = var.ebs_csi_driver_version == "" ? "v0.8.1-amazonlinux" : var.ebs_csi_driver_version
-  liveness_probe_version = "v2.2.0"
+  liveness_probe_version = "v2.4.0"
   controller_name        = "ebs-csi-controller"
   daemonset_name         = "ebs-csi-node"
   csi_volume_tags        = join(",", [for key, value in var.tags : "${key}=${value}"])

node-rbac.tf

@@ -0,0 +1,37 @@
+resource "kubernetes_service_account" "node" {
+  metadata {
+    name      = local.daemonset_name
+    namespace = var.namespace
+  }
+  automount_service_account_token = true
+}
+
+resource "kubernetes_cluster_role" "node" {
+  metadata {
+    name = "ebs-csi-node-role"
+  }
+
+  rule {
+    api_groups = [""]
+    resources  = ["nodes"]
+    verbs      = ["get"]
+  }
+}
+
+resource "kubernetes_cluster_role_binding" "node" {
+  metadata {
+    name = "ebs-csi-provisioner-binding"
+  }
+
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = kubernetes_cluster_role.node.metadata[0].name
+  }
+
+  subject {
+    kind      = "ServiceAccount"
+    name      = kubernetes_service_account.node.metadata[0].name
+    namespace = kubernetes_service_account.node.metadata[0].namespace
+  }
+}

node.tf

@@ -44,8 +44,10 @@ resource "kubernetes_daemonset" "node" {
           "beta.kubernetes.io/os" : "linux",
         }, var.extra_node_selectors, var.node_extra_node_selectors)
 
-        host_network        = true
-        priority_class_name = "system-cluster-critical"
+        host_network                    = true
+        service_account_name            = kubernetes_service_account.node.metadata[0].name
+        automount_service_account_token = true
+        priority_class_name             = "system-cluster-critical"
 
         toleration {
           operator = "Exists"