apiVersion: v1
kind: ServiceAccount
metadata:
  name: volume-data-source-validator
  namespace: kube-system

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: volume-data-source-validator
rules:
  - apiGroups: [populator.storage.k8s.io]
    resources: [volumepopulators]
    verbs: [get, list, watch]
  - apiGroups: [""]
    resources: [persistentvolumeclaims]
    verbs: [get, list, watch]
  - apiGroups: [""]
    resources: [events]
    verbs: [list, watch, create, update, patch]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: volume-data-source-validator
  labels:
    addonmanager.kubernetes.io/mode: Reconcile
subjects:
  - kind: ServiceAccount
    name: volume-data-source-validator
    namespace: kube-system
roleRef:
  kind: ClusterRole
  name: volume-data-source-validator
  apiGroup: rbac.authorization.k8s.io