From ea42a0e873f911977c5df0c2d45915095d9ed7af Mon Sep 17 00:00:00 2001 From: 1602077 <62025739+1602077@users.noreply.github.com> Date: Wed, 5 Jun 2024 13:27:49 +0200 Subject: [PATCH 1/2] deploy: configurable podSecurityContexts in ceph-csi-cephfs pod-level security contexts for nodeplugin daemonset and provisioner deployment can be set via helm values.yaml Signed-off-by: 1602077 <62025739+1602077@users.noreply.github.com> --- PendingReleaseNotes.md | 2 ++ charts/ceph-csi-cephfs/README.md | 2 ++ charts/ceph-csi-cephfs/templates/nodeplugin-daemonset.yaml | 1 + charts/ceph-csi-cephfs/templates/provisioner-deployment.yaml | 1 + charts/ceph-csi-cephfs/values.yaml | 4 ++++ 5 files changed, 10 insertions(+) diff --git a/PendingReleaseNotes.md b/PendingReleaseNotes.md index ade3a3e70..ff18a00f5 100644 --- a/PendingReleaseNotes.md +++ b/PendingReleaseNotes.md @@ -4,4 +4,6 @@ ## Features +- deploy: podSecurityContexts can be configured for ceph-csi-cephfs chart in [PR](https://github.com/ceph/ceph-csi/pull/4664). + ## NOTE diff --git a/charts/ceph-csi-cephfs/README.md b/charts/ceph-csi-cephfs/README.md index 21a04bca7..4ec879e1f 100644 --- a/charts/ceph-csi-cephfs/README.md +++ b/charts/ceph-csi-cephfs/README.md @@ -129,6 +129,7 @@ charts and their default values. | `nodeplugin.plugin.image.repository` | Nodeplugin image repository URL | `quay.io/cephcsi/cephcsi` | | `nodeplugin.plugin.image.tag` | Image tag | `canary` | | `nodeplugin.plugin.image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `nodeplugin.podSecurityContext` | Specifies pod-level security context. | `{}` | | `nodeplugin.nodeSelector` | Kubernetes `nodeSelector` to add to the Daemonset | `{}` | | `nodeplugin.tolerations` | List of Kubernetes `tolerations` to add to the Daemonset | `{}` | | `nodeplugin.forcecephkernelclient` | Set to true to enable Ceph Kernel clients on kernel < 4.17 which support quotas | `true` | @@ -163,6 +164,7 @@ charts and their default values. | `provisioner.tolerations` | Specifies the tolerations for provisioner deployment | `{}` | | `provisioner.affinity` | Specifies the affinity for provisioner deployment | `{}` | | `provisioner.podSecurityPolicy.enabled` | Specifies whether podSecurityPolicy is enabled | `false` | +| `provisioner.podSecurityContext` | Specifies pod-level security context. | `{}` | | `provisionerSocketFile` | The filename of the provisioner socket | `csi-provisioner.sock` | | `pluginSocketFile` | The filename of the plugin socket | `csi.sock` | | `readAffinity.enabled` | Enable read affinity for CephFS subvolumes. Recommended to set to true if running kernel 5.8 or newer. | `false` | diff --git a/charts/ceph-csi-cephfs/templates/nodeplugin-daemonset.yaml b/charts/ceph-csi-cephfs/templates/nodeplugin-daemonset.yaml index 252013f99..5da5ca165 100644 --- a/charts/ceph-csi-cephfs/templates/nodeplugin-daemonset.yaml +++ b/charts/ceph-csi-cephfs/templates/nodeplugin-daemonset.yaml @@ -28,6 +28,7 @@ spec: heritage: {{ .Release.Service }} {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }} spec: + securityContext: {{ toYaml .Values.nodeplugin.podSecurityContext | nindent 8 }} serviceAccountName: {{ include "ceph-csi-cephfs.serviceAccountName.nodeplugin" . }} {{- if .Values.nodeplugin.priorityClassName }} priorityClassName: {{ .Values.nodeplugin.priorityClassName }} diff --git a/charts/ceph-csi-cephfs/templates/provisioner-deployment.yaml b/charts/ceph-csi-cephfs/templates/provisioner-deployment.yaml index 4767866ba..685e39b66 100644 --- a/charts/ceph-csi-cephfs/templates/provisioner-deployment.yaml +++ b/charts/ceph-csi-cephfs/templates/provisioner-deployment.yaml @@ -57,6 +57,7 @@ spec: {{ toYaml .Values.provisioner.affinity | indent 8 -}} {{- end -}} {{- end }} + securityContext: {{ toYaml .Values.provisioner.podSecurityContext | nindent 8 }} serviceAccountName: {{ include "ceph-csi-cephfs.serviceAccountName.provisioner" . }} hostNetwork: {{ .Values.provisioner.enableHostNetwork }} {{- if .Values.provisioner.priorityClassName }} diff --git a/charts/ceph-csi-cephfs/values.yaml b/charts/ceph-csi-cephfs/values.yaml index b13b50524..d0eaaadc8 100644 --- a/charts/ceph-csi-cephfs/values.yaml +++ b/charts/ceph-csi-cephfs/values.yaml @@ -127,6 +127,8 @@ nodeplugin: affinity: {} + podSecurityContext: {} + # Set to true to enable Ceph Kernel clients # on kernel < 4.17 which support quotas # forcecephkernelclient: true @@ -244,6 +246,8 @@ provisioner: affinity: {} + podSecurityContext: {} + # readAffinity: # Enable read affinity for CephFS subvolumes. Recommended to # set to true if running kernel 5.8 or newer. From 6b21263efd5b04d0b68f2afe306587bf8f9f5d74 Mon Sep 17 00:00:00 2001 From: 1602077 <62025739+1602077@users.noreply.github.com> Date: Thu, 6 Jun 2024 10:23:10 +0200 Subject: [PATCH 2/2] deploy: configurable podSecurityContexts in ceph-csi-rbd Signed-off-by: 1602077 <62025739+1602077@users.noreply.github.com> --- PendingReleaseNotes.md | 1 + charts/ceph-csi-rbd/README.md | 2 ++ charts/ceph-csi-rbd/templates/nodeplugin-daemonset.yaml | 1 + charts/ceph-csi-rbd/templates/provisioner-deployment.yaml | 1 + charts/ceph-csi-rbd/values.yaml | 4 ++++ 5 files changed, 9 insertions(+) diff --git a/PendingReleaseNotes.md b/PendingReleaseNotes.md index ff18a00f5..b4fabb66f 100644 --- a/PendingReleaseNotes.md +++ b/PendingReleaseNotes.md @@ -5,5 +5,6 @@ ## Features - deploy: podSecurityContexts can be configured for ceph-csi-cephfs chart in [PR](https://github.com/ceph/ceph-csi/pull/4664). +- deploy: podSecurityContexts can be configured for ceph-csi-rbd chart in [PR](https://github.com/ceph/ceph-csi/pull/4668) ## NOTE diff --git a/charts/ceph-csi-rbd/README.md b/charts/ceph-csi-rbd/README.md index a5850f046..f0f45df82 100644 --- a/charts/ceph-csi-rbd/README.md +++ b/charts/ceph-csi-rbd/README.md @@ -131,6 +131,7 @@ charts and their default values. | `nodeplugin.plugin.image.repository` | Nodeplugin image repository URL | `quay.io/cephcsi/cephcsi` | | `nodeplugin.plugin.image.tag` | Image tag | `canary` | | `nodeplugin.plugin.image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `nodeplugin.podSecurityContext` | Specifies pod-level security context. | `{}` | | `nodeplugin.nodeSelector` | Kubernetes `nodeSelector` to add to the Daemonset | `{}` | | `nodeplugin.tolerations` | List of Kubernetes `tolerations` to add to the Daemonset | `{}` | | `nodeplugin.podSecurityPolicy.enabled` | If true, create & use [Pod Security Policy resources](https://kubernetes.io/docs/concepts/policy/pod-security-policy/). | `false` | @@ -154,6 +155,7 @@ charts and their default values. | `provisioner.provisioner.image.tag` | Specifies image tag | `v4.0.1` | | `provisioner.provisioner.image.pullPolicy` | Specifies pull policy | `IfNotPresent` | | `provisioner.provisioner.image.extraArgs` | Specifies extra arguments for the provisioner sidecar | `[]` | +| `provisioner.podSecurityContext` | Specifies pod-level security context. | `{}` | | `provisioner.snapshotter.args.enableVolumeGroupSnapshots` | enables the creation of volume group snapshots | `false` | | `provisioner.attacher.image.repository` | Specifies the csi-attacher image repository URL | `registry.k8s.io/sig-storage/csi-attacher` | | `provisioner.attacher.image.tag` | Specifies image tag | `v4.5.` | diff --git a/charts/ceph-csi-rbd/templates/nodeplugin-daemonset.yaml b/charts/ceph-csi-rbd/templates/nodeplugin-daemonset.yaml index 925ea6908..a511f67aa 100644 --- a/charts/ceph-csi-rbd/templates/nodeplugin-daemonset.yaml +++ b/charts/ceph-csi-rbd/templates/nodeplugin-daemonset.yaml @@ -28,6 +28,7 @@ spec: heritage: {{ .Release.Service }} {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }} spec: + securityContext: {{ toYaml .Values.nodeplugin.podSecurityContext | nindent 8 }} serviceAccountName: {{ include "ceph-csi-rbd.serviceAccountName.nodeplugin" . }} hostNetwork: true hostPID: true diff --git a/charts/ceph-csi-rbd/templates/provisioner-deployment.yaml b/charts/ceph-csi-rbd/templates/provisioner-deployment.yaml index 15d122d27..a922bd2ac 100644 --- a/charts/ceph-csi-rbd/templates/provisioner-deployment.yaml +++ b/charts/ceph-csi-rbd/templates/provisioner-deployment.yaml @@ -57,6 +57,7 @@ spec: {{ toYaml .Values.provisioner.affinity | indent 8 -}} {{- end -}} {{- end }} + securityContext: {{ toYaml .Values.provisioner.podSecurityContext | nindent 8 }} serviceAccountName: {{ include "ceph-csi-rbd.serviceAccountName.provisioner" . }} hostNetwork: {{ .Values.provisioner.enableHostNetwork }} {{- if .Values.provisioner.priorityClassName }} diff --git a/charts/ceph-csi-rbd/values.yaml b/charts/ceph-csi-rbd/values.yaml index 5af637132..40a0a5eea 100644 --- a/charts/ceph-csi-rbd/values.yaml +++ b/charts/ceph-csi-rbd/values.yaml @@ -156,6 +156,8 @@ nodeplugin: affinity: {} + podSecurityContext: {} + provisioner: name: provisioner replicaCount: 3 @@ -295,6 +297,8 @@ provisioner: affinity: {} + podSecurityContext: {} + topology: # Specifies whether topology based provisioning support should # be exposed by CSI