From 3dc810a75be2b18c22ef20e48d29018159f7710f Mon Sep 17 00:00:00 2001 From: gman Date: Fri, 9 Mar 2018 17:03:31 +0100 Subject: [PATCH] cephfs: lowered permissions in cephfsplugin.yaml --- deploy/cephfs/kubernetes/cephfsplugin.yaml | 29 ++++--------------- deploy/cephfs/kubernetes/csi-provisioner.yaml | 3 +- 2 files changed, 7 insertions(+), 25 deletions(-) diff --git a/deploy/cephfs/kubernetes/cephfsplugin.yaml b/deploy/cephfs/kubernetes/cephfsplugin.yaml index bf639650a..0c79a4289 100644 --- a/deploy/cephfs/kubernetes/cephfsplugin.yaml +++ b/deploy/cephfs/kubernetes/cephfsplugin.yaml @@ -14,18 +14,6 @@ rules: - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list", "update"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list"] - - apiGroups: [""] - resources: ["namespaces"] - verbs: ["get", "list"] - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments"] - verbs: ["get", "list", "watch", "update"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -81,7 +69,7 @@ spec: capabilities: add: ["SYS_ADMIN"] allowPrivilegeEscalation: true - image: csi_images/cephfsplugin:latest + image: cephfsplugin:latest args : - "--nodeid=$(NODE_ID)" - "--endpoint=$(CSI_ENDPOINT)" @@ -101,15 +89,13 @@ spec: - name: pods-mount-dir mountPath: /var/lib/kubelet/pods mountPropagation: "Bidirectional" - - mountPath: /dev - name: host-dev - mountPath: /sys name: host-sys - mountPath: /lib/modules name: lib-modules readOnly: true - - name: cephfs-config - mountPath: /etc/ceph + #- name: cephfs-config + # mountPath: /etc/ceph volumes: - name: plugin-dir hostPath: @@ -123,15 +109,12 @@ spec: hostPath: path: /var/lib/kubelet/plugins/cephfsplugin type: DirectoryOrCreate - - name: host-dev - hostPath: - path: /dev - name: host-sys hostPath: path: /sys - name: lib-modules hostPath: path: /lib/modules - - name: cephfs-config - hostPath: - path: /etc/ceph + #- name: cephfs-config + # hostPath: + # path: /etc/ceph diff --git a/deploy/cephfs/kubernetes/csi-provisioner.yaml b/deploy/cephfs/kubernetes/csi-provisioner.yaml index 91c99091e..9c2040c23 100644 --- a/deploy/cephfs/kubernetes/csi-provisioner.yaml +++ b/deploy/cephfs/kubernetes/csi-provisioner.yaml @@ -30,7 +30,7 @@ rules: - apiGroups: [""] resources: ["events"] verbs: ["list", "watch", "create", "update", "patch"] - + --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -76,7 +76,6 @@ spec: containers: - name: csi-provisioner image: quay.io/k8scsi/csi-provisioner:latest - # image: quay.io/k8scsi/csi-provisioner:latest args: - "--provisioner=cephfsplugin" - "--csi-address=$(ADDRESS)"