helm: Add selinuxMount flag to enable/disable /etc/selinux host mount

Add selinuxMount flag to enable/disable /etc/selinux host mount inside pods
to support selinux-enabled filesystems

Signed-off-by: Francesco Astegiano <francesco.astegiano@gmail.com>
This commit is contained in:
Francesco Astegiano 2022-02-16 00:13:39 +01:00 committed by mergify[bot]
parent ea89b26f65
commit 4235178f7c
8 changed files with 22 additions and 0 deletions

View File

@ -156,6 +156,7 @@ charts and their default values.
| `secret.name` | Specifies the cephFS secret name | `csi-cephfs-secret` |
| `secret.adminID` | Specifies the admin ID of the cephFS secret | `<plaintext ID>` |
| `secret.adminKey` | Specifies the key that corresponds to the adminID | `<Ceph auth key corresponding to ID above>` |
| `selinuxMount` | Mount the host /etc/selinux inside pods to support selinux-enabled filesystems | `true` |
### Command Line

View File

@ -112,9 +112,11 @@ spec:
name: host-mount
- mountPath: /sys
name: host-sys
{{- if .Values.selinuxMount }}
- mountPath: /etc/selinux
name: etc-selinux
readOnly: true
{{- end }}
- mountPath: /lib/modules
name: lib-modules
readOnly: true
@ -176,9 +178,11 @@ spec:
- name: host-sys
hostPath:
path: /sys
{{- if .Values.selinuxMount }}
- name: etc-selinux
hostPath:
path: /etc/selinux
{{- end }}
- name: host-mount
hostPath:
path: /run/mount

View File

@ -40,8 +40,10 @@ spec:
readOnly: false
- pathPrefix: '/sys'
readOnly: false
{{- if .Values.selinuxMount }}
- pathPrefix: '/etc/selinux'
readOnly: true
{{- end }}
- pathPrefix: '/lib/modules'
readOnly: true
- pathPrefix: '{{ .Values.kubeletDir }}'

View File

@ -201,6 +201,10 @@ provisioner:
podSecurityPolicy:
enabled: false
# Mount the host /etc/selinux inside pods to support
# selinux-enabled filesystems
selinuxMount: true
topology:
# Specifies whether topology based provisioning support should
# be exposed by CSI

View File

@ -175,6 +175,7 @@ charts and their default values.
| `secret.userID` | Specifies the user ID of the rbd secret | `<plaintext ID>` |
| `secret.userKey` | Specifies the key that corresponds to the userID | `<Ceph auth key corresponding to ID above>` |
| `secret.encryptionPassphrase` | Specifies the encryption passphrase of the secret | `test_passphrase` |
| `selinuxMount` | Mount the host /etc/selinux inside pods to support selinux-enabled filesystems | `true` |
### Command Line

View File

@ -109,9 +109,11 @@ spec:
name: host-mount
- mountPath: /sys
name: host-sys
{{- if .Values.selinuxMount }}
- mountPath: /etc/selinux
name: etc-selinux
readOnly: true
{{- end }}
- mountPath: /lib/modules
name: lib-modules
readOnly: true
@ -193,9 +195,11 @@ spec:
- name: host-sys
hostPath:
path: /sys
{{- if .Values.selinuxMount }}
- name: etc-selinux
hostPath:
path: /etc/selinux
{{- end }}
- name: lib-modules
hostPath:
path: /lib/modules

View File

@ -40,8 +40,10 @@ spec:
readOnly: false
- pathPrefix: '/sys'
readOnly: false
{{- if .Values.selinuxMount }}
- pathPrefix: '/etc/selinux'
readOnly: true
{{- end }}
- pathPrefix: '/lib/modules'
readOnly: true
- pathPrefix: '{{ .Values.cephLogDirHostPath }}'

View File

@ -399,6 +399,10 @@ storageClass:
# mountOptions:
# - discard
# Mount the host /etc/selinux inside pods to support
# selinux-enabled filesystems
selinuxMount: true
secret:
# Specifies whether the secret should be created
create: false