add rbac rules to support deletion of snaps

Pearl1594 · Pearl1594 · commit 04b550929749 · 2025-07-30T16:13:59.000-04:00
diff --git a/cmd/cloudstack-csi-driver/Dockerfile b/cmd/cloudstack-csi-driver/Dockerfile
@@ -14,7 +14,9 @@ RUN apk add --no-cache \
     # blkid, mount and umount are required by k8s.io/mount-utils \
     blkid \
     mount \
-    umount
+    umount \
+    # Provides udevadm for device path detection \
+    udev
 
 COPY ./bin/cloudstack-csi-driver /cloudstack-csi-driver
-ENTRYPOINT ["/cloudstack-csi-driver"]
+ENTRYPOINT ["/cloudstack-csi-driver"]
diff --git a/deploy/k8s/rbac.yaml b/deploy/k8s/rbac.yaml
@@ -86,3 +86,35 @@ roleRef:
   kind: ClusterRole
   name: cloudstack-csi-node-role
   apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cloudstack-csi-snapshotter-role
+rules:
+- apiGroups: ["snapshot.storage.k8s.io"]
+  resources: ["volumesnapshotclasses"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["snapshot.storage.k8s.io"]
+  resources: ["volumesnapshotcontents"]
+  verbs: ["create", "get", "list", "watch", "update", "delete"]
+- apiGroups: ["snapshot.storage.k8s.io"]
+  resources: ["volumesnapshots"]
+  verbs: ["get", "list", "watch", "update"]
+- apiGroups: ["snapshot.storage.k8s.io"]
+  resources: ["volumesnapshotcontents/status"]
+  verbs: ["update"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cloudstack-csi-snapshotter-binding
+subjects:
+- kind: ServiceAccount
+  name: cloudstack-csi-controller
+  namespace: kube-system
+roleRef:
+  kind: ClusterRole
+  name: cloudstack-csi-snapshotter-role
+  apiGroup: rbac.authorization.k8s.io
diff --git a/pkg/driver/controller.go b/pkg/driver/controller.go
@@ -286,7 +286,7 @@ func determineSize(req *csi.CreateVolumeRequest) (int64, error) {
 
 func (cs *controllerServer) DeleteVolume(ctx context.Context, req *csi.DeleteVolumeRequest) (*csi.DeleteVolumeResponse, error) {
 	logger := klog.FromContext(ctx)
-	logger.V(6).Info("DeleteVolume: called", "args", *req)
+	logger.Info("DeleteVolume: called", "args", *req)
 
 	if req.GetVolumeId() == "" {
 		return nil, status.Error(codes.InvalidArgument, "Volume ID missing in request")
