build: add yamlgen to build deployment files

This initial version of yamlgen generates deploy/scc.yaml based on the deployment artifact that is provided by the new api/deploy/ocp package. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2025-06-13 02:33:34 +00:00 · 2021-10-01 14:08:56 +02:00
parent 36e099d939
commit 5ea99fdd5b
32 changed files with 8850 additions and 2 deletions
--- a/deploy/Makefile
+++ b/deploy/Makefile
@ -0,0 +1,19 @@
+# Copyright 2021 The Ceph-CSI Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+.PHONY: all
+all: scc.yaml
+
+scc.yaml: ../api/deploy/ocp/scc.yaml ../api/deploy/ocp/scc.go
+	$(MAKE) -C ../tools generate-deploy
--- a/deploy/scc.yaml
+++ b/deploy/scc.yaml
@ -0,0 +1,51 @@
+---
+#
+# /!\ DO NOT MODIFY THIS FILE
+#
+# This file has been automatically generated by Ceph-CSI yamlgen.
+# The source for the contents can be found in the api/deploy directory, make
+# your modifications there.
+#
+---
+kind: SecurityContextConstraints
+apiVersion: security.openshift.io/v1
+metadata:
+  name: "ceph-csi"
+# To allow running privilegedContainers
+allowPrivilegedContainer: true
+# CSI daemonset pod needs hostnetworking
+allowHostNetwork: true
+# This need to be set to true as we use HostPath
+allowHostDirVolumePlugin: true
+priority:
+# SYS_ADMIN is needed for rbd to execture rbd map command
+allowedCapabilities: ["SYS_ADMIN"]
+# Needed as we run liveness container on daemonset pods
+allowHostPorts: true
+# Needed as we are setting this in RBD plugin pod
+allowHostPID: true
+# Required for encryption
+allowHostIPC: true
+# Set to false as we write to RootFilesystem inside csi containers
+readOnlyRootFilesystem: false
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: RunAsAny
+fsGroup:
+  type: RunAsAny
+supplementalGroups:
+  type: RunAsAny
+# The type of volumes which are mounted to csi pods
+volumes:
+  - configMap
+  - projected
+  - emptyDir
+  - hostPath
+users:
+  # A user needs to be added for each service account.
+  - "system:serviceaccount:ceph-csi:csi-rbd-plugin-sa"
+  - "system:serviceaccount:ceph-csi:csi-rbd-provisioner-sa"
+  - "system:serviceaccount:ceph-csi:csi-cephfs-plugin-sa"
+  # yamllint disable-line rule:line-length
+  - "system:serviceaccount:ceph-csi:csi-cephfs-provisioner-sa"