mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-12-02 11:10:18 +00:00
deploy: remove psp from cephcsi
as PSP is deprecated in kubernetes 1.21
and will be removed in kubernetes 1.25
removing the existing PSP related templates
from the repo and updated the required documents.
fixes #1988
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
(cherry picked from commit 96a3aabe5a
)
This commit is contained in:
parent
7fbde0c820
commit
cf33b3e7a1
@ -1,51 +0,0 @@
|
||||
{{- if .Values.nodeplugin.podSecurityPolicy.enabled -}}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}
|
||||
labels:
|
||||
app: {{ include "ceph-csi-cephfs.fullname" . }}
|
||||
chart: {{ include "ceph-csi-cephfs.chart" . }}
|
||||
component: {{ .Values.nodeplugin.name }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
spec:
|
||||
allowPrivilegeEscalation: true
|
||||
allowedCapabilities:
|
||||
- 'SYS_ADMIN'
|
||||
fsGroup:
|
||||
rule: RunAsAny
|
||||
privileged: true
|
||||
hostNetwork: true
|
||||
hostPorts:
|
||||
- min: {{ .Values.nodeplugin.httpMetrics.containerPort }}
|
||||
max: {{ .Values.nodeplugin.httpMetrics.containerPort }}
|
||||
hostPID: true
|
||||
runAsUser:
|
||||
rule: RunAsAny
|
||||
seLinux:
|
||||
rule: RunAsAny
|
||||
supplementalGroups:
|
||||
rule: RunAsAny
|
||||
volumes:
|
||||
- 'configMap'
|
||||
- 'emptyDir'
|
||||
- 'projected'
|
||||
- 'secret'
|
||||
- 'hostPath'
|
||||
allowedHostPaths:
|
||||
- pathPrefix: '/dev'
|
||||
readOnly: false
|
||||
- pathPrefix: '/run/mount'
|
||||
readOnly: false
|
||||
- pathPrefix: '/sys'
|
||||
readOnly: false
|
||||
{{- if .Values.selinuxMount }}
|
||||
- pathPrefix: '/etc/selinux'
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
- pathPrefix: '/lib/modules'
|
||||
readOnly: true
|
||||
- pathPrefix: '{{ .Values.kubeletDir }}'
|
||||
readOnly: false
|
||||
{{- end }}
|
@ -1,18 +0,0 @@
|
||||
{{- if and .Values.rbac.create .Values.nodeplugin.podSecurityPolicy.enabled -}}
|
||||
kind: Role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app: {{ include "ceph-csi-cephfs.fullname" . }}
|
||||
chart: {{ include "ceph-csi-cephfs.chart" . }}
|
||||
component: {{ .Values.nodeplugin.name }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
rules:
|
||||
- apiGroups: ['policy']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames: ['{{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}']
|
||||
{{- end -}}
|
@ -1,21 +0,0 @@
|
||||
{{- if and .Values.rbac.create .Values.nodeplugin.podSecurityPolicy.enabled -}}
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app: {{ include "ceph-csi-cephfs.fullname" . }}
|
||||
chart: {{ include "ceph-csi-cephfs.chart" . }}
|
||||
component: {{ .Values.nodeplugin.name }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ include "ceph-csi-cephfs.serviceAccountName.nodeplugin" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
{{- end -}}
|
@ -1,34 +0,0 @@
|
||||
{{- if .Values.provisioner.podSecurityPolicy.enabled -}}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: {{ include "ceph-csi-cephfs.provisioner.fullname" . }}
|
||||
labels:
|
||||
app: {{ include "ceph-csi-cephfs.name" . }}
|
||||
chart: {{ include "ceph-csi-cephfs.chart" . }}
|
||||
component: {{ .Values.provisioner.name }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
spec:
|
||||
fsGroup:
|
||||
rule: RunAsAny
|
||||
runAsUser:
|
||||
rule: RunAsAny
|
||||
seLinux:
|
||||
rule: RunAsAny
|
||||
supplementalGroups:
|
||||
rule: RunAsAny
|
||||
volumes:
|
||||
- 'configMap'
|
||||
- 'emptyDir'
|
||||
- 'projected'
|
||||
- 'secret'
|
||||
- 'hostPath'
|
||||
allowedHostPaths:
|
||||
- pathPrefix: '/dev'
|
||||
readOnly: false
|
||||
- pathPrefix: '/sys'
|
||||
readOnly: false
|
||||
- pathPrefix: '/lib/modules'
|
||||
readOnly: true
|
||||
{{- end }}
|
@ -17,10 +17,4 @@ rules:
|
||||
- apiGroups: ["coordination.k8s.io"]
|
||||
resources: ["leases"]
|
||||
verbs: ["get", "watch", "list", "delete", "update", "create"]
|
||||
{{- if .Values.provisioner.podSecurityPolicy.enabled }}
|
||||
- apiGroups: ['policy']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames: ['{{ include "ceph-csi-cephfs.provisioner.fullname" . }}']
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
@ -110,11 +110,6 @@ nodeplugin:
|
||||
kernelmountoptions: ""
|
||||
fusemountoptions: ""
|
||||
|
||||
# If true, create & use Pod Security Policy resources
|
||||
# https://kubernetes.io/docs/concepts/policy/pod-security-policy/
|
||||
podSecurityPolicy:
|
||||
enabled: false
|
||||
|
||||
provisioner:
|
||||
name: provisioner
|
||||
replicaCount: 3
|
||||
@ -205,11 +200,6 @@ provisioner:
|
||||
|
||||
affinity: {}
|
||||
|
||||
# If true, create & use Pod Security Policy resources
|
||||
# https://kubernetes.io/docs/concepts/policy/pod-security-policy/
|
||||
podSecurityPolicy:
|
||||
enabled: false
|
||||
|
||||
# Mount the host /etc/selinux inside pods to support
|
||||
# selinux-enabled filesystems
|
||||
selinuxMount: true
|
||||
|
@ -1,53 +0,0 @@
|
||||
{{- if .Values.nodeplugin.podSecurityPolicy.enabled -}}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }}
|
||||
labels:
|
||||
app: {{ include "ceph-csi-rbd.name" . }}
|
||||
chart: {{ include "ceph-csi-rbd.chart" . }}
|
||||
component: {{ .Values.nodeplugin.name }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
spec:
|
||||
allowPrivilegeEscalation: true
|
||||
allowedCapabilities:
|
||||
- 'SYS_ADMIN'
|
||||
fsGroup:
|
||||
rule: RunAsAny
|
||||
privileged: true
|
||||
hostNetwork: true
|
||||
hostPorts:
|
||||
- min: {{ .Values.nodeplugin.httpMetrics.containerPort }}
|
||||
max: {{ .Values.nodeplugin.httpMetrics.containerPort }}
|
||||
hostPID: true
|
||||
runAsUser:
|
||||
rule: RunAsAny
|
||||
seLinux:
|
||||
rule: RunAsAny
|
||||
supplementalGroups:
|
||||
rule: RunAsAny
|
||||
volumes:
|
||||
- 'configMap'
|
||||
- 'emptyDir'
|
||||
- 'projected'
|
||||
- 'secret'
|
||||
- 'hostPath'
|
||||
allowedHostPaths:
|
||||
- pathPrefix: '/dev'
|
||||
readOnly: false
|
||||
- pathPrefix: '/run/mount'
|
||||
readOnly: false
|
||||
- pathPrefix: '/sys'
|
||||
readOnly: false
|
||||
{{- if .Values.selinuxMount }}
|
||||
- pathPrefix: '/etc/selinux'
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
- pathPrefix: '/lib/modules'
|
||||
readOnly: true
|
||||
- pathPrefix: '{{ .Values.cephLogDirHostPath }}'
|
||||
readOnly: false
|
||||
- pathPrefix: '{{ .Values.kubeletDir }}'
|
||||
readOnly: false
|
||||
{{- end }}
|
@ -1,18 +0,0 @@
|
||||
{{- if and .Values.rbac.create .Values.nodeplugin.podSecurityPolicy.enabled -}}
|
||||
kind: Role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app: {{ include "ceph-csi-rbd.name" . }}
|
||||
chart: {{ include "ceph-csi-rbd.chart" . }}
|
||||
component: {{ .Values.nodeplugin.name }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
rules:
|
||||
- apiGroups: ['policy']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames: ['{{ include "ceph-csi-rbd.nodeplugin.fullname" . }}']
|
||||
{{- end -}}
|
@ -1,21 +0,0 @@
|
||||
{{- if and .Values.rbac.create .Values.nodeplugin.podSecurityPolicy.enabled -}}
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app: {{ include "ceph-csi-rbd.name" . }}
|
||||
chart: {{ include "ceph-csi-rbd.chart" . }}
|
||||
component: {{ .Values.nodeplugin.name }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ include "ceph-csi-rbd.serviceAccountName.nodeplugin" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }}
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
{{- end -}}
|
@ -1,34 +0,0 @@
|
||||
{{- if .Values.provisioner.podSecurityPolicy.enabled -}}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: {{ include "ceph-csi-rbd.provisioner.fullname" . }}
|
||||
labels:
|
||||
app: {{ include "ceph-csi-rbd.name" . }}
|
||||
chart: {{ include "ceph-csi-rbd.chart" . }}
|
||||
component: {{ .Values.provisioner.name }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
spec:
|
||||
fsGroup:
|
||||
rule: RunAsAny
|
||||
runAsUser:
|
||||
rule: RunAsAny
|
||||
seLinux:
|
||||
rule: RunAsAny
|
||||
supplementalGroups:
|
||||
rule: RunAsAny
|
||||
volumes:
|
||||
- 'configMap'
|
||||
- 'emptyDir'
|
||||
- 'projected'
|
||||
- 'secret'
|
||||
- 'hostPath'
|
||||
allowedHostPaths:
|
||||
- pathPrefix: '/dev'
|
||||
readOnly: false
|
||||
- pathPrefix: '/sys'
|
||||
readOnly: false
|
||||
- pathPrefix: '/lib/modules'
|
||||
readOnly: true
|
||||
{{- end }}
|
@ -17,10 +17,4 @@ rules:
|
||||
- apiGroups: ["coordination.k8s.io"]
|
||||
resources: ["leases"]
|
||||
verbs: ["get", "watch", "list", "delete", "update", "create"]
|
||||
{{- if .Values.provisioner.podSecurityPolicy.enabled }}
|
||||
- apiGroups: ['policy']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames: ['{{ include "ceph-csi-rbd.provisioner.fullname" . }}']
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
@ -124,11 +124,6 @@ nodeplugin:
|
||||
|
||||
affinity: {}
|
||||
|
||||
# If true, create & use Pod Security Policy resources
|
||||
# https://kubernetes.io/docs/concepts/policy/pod-security-policy/
|
||||
podSecurityPolicy:
|
||||
enabled: false
|
||||
|
||||
provisioner:
|
||||
name: provisioner
|
||||
replicaCount: 3
|
||||
@ -247,11 +242,6 @@ provisioner:
|
||||
|
||||
affinity: {}
|
||||
|
||||
# If true, create & use Pod Security Policy resources
|
||||
# https://kubernetes.io/docs/concepts/policy/pod-security-policy/
|
||||
podSecurityPolicy:
|
||||
enabled: false
|
||||
|
||||
topology:
|
||||
# Specifies whether topology based provisioning support should
|
||||
# be exposed by CSI
|
||||
|
@ -1,75 +0,0 @@
|
||||
---
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: cephfs-csi-nodeplugin-psp
|
||||
spec:
|
||||
allowPrivilegeEscalation: true
|
||||
allowedCapabilities:
|
||||
- 'SYS_ADMIN'
|
||||
fsGroup:
|
||||
rule: RunAsAny
|
||||
privileged: true
|
||||
hostNetwork: true
|
||||
hostPID: true
|
||||
runAsUser:
|
||||
rule: RunAsAny
|
||||
seLinux:
|
||||
rule: RunAsAny
|
||||
supplementalGroups:
|
||||
rule: RunAsAny
|
||||
volumes:
|
||||
- 'configMap'
|
||||
- 'emptyDir'
|
||||
- 'projected'
|
||||
- 'secret'
|
||||
- 'hostPath'
|
||||
allowedHostPaths:
|
||||
- pathPrefix: '/dev'
|
||||
readOnly: false
|
||||
- pathPrefix: '/run/mount'
|
||||
readOnly: false
|
||||
- pathPrefix: '/sys'
|
||||
readOnly: false
|
||||
- pathPrefix: '/etc/selinux'
|
||||
readOnly: true
|
||||
- pathPrefix: '/lib/modules'
|
||||
readOnly: true
|
||||
- pathPrefix: '/var/lib/kubelet/pods'
|
||||
readOnly: false
|
||||
- pathPrefix: '/var/lib/kubelet/plugins/cephfs.csi.ceph.com'
|
||||
readOnly: false
|
||||
- pathPrefix: '/var/lib/kubelet/plugins_registry'
|
||||
readOnly: false
|
||||
- pathPrefix: '/var/lib/kubelet/plugins'
|
||||
readOnly: false
|
||||
|
||||
---
|
||||
kind: Role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: cephfs-csi-nodeplugin-psp
|
||||
# replace with non-default namespace name
|
||||
namespace: default
|
||||
rules:
|
||||
- apiGroups: ['policy']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames: ['cephfs-csi-nodeplugin-psp']
|
||||
|
||||
---
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: cephfs-csi-nodeplugin-psp
|
||||
# replace with non-default namespace name
|
||||
namespace: default
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: cephfs-csi-nodeplugin
|
||||
# replace with non-default namespace name
|
||||
namespace: default
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: cephfs-csi-nodeplugin-psp
|
||||
apiGroup: rbac.authorization.k8s.io
|
@ -1,57 +0,0 @@
|
||||
---
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: cephfs-csi-provisioner-psp
|
||||
spec:
|
||||
fsGroup:
|
||||
rule: RunAsAny
|
||||
runAsUser:
|
||||
rule: RunAsAny
|
||||
seLinux:
|
||||
rule: RunAsAny
|
||||
supplementalGroups:
|
||||
rule: RunAsAny
|
||||
volumes:
|
||||
- 'configMap'
|
||||
- 'emptyDir'
|
||||
- 'projected'
|
||||
- 'secret'
|
||||
- 'hostPath'
|
||||
allowedHostPaths:
|
||||
- pathPrefix: '/dev'
|
||||
readOnly: false
|
||||
- pathPrefix: '/sys'
|
||||
readOnly: false
|
||||
- pathPrefix: '/lib/modules'
|
||||
readOnly: true
|
||||
|
||||
---
|
||||
kind: Role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: cephfs-csi-provisioner-psp
|
||||
# replace with non-default namespace name
|
||||
namespace: default
|
||||
rules:
|
||||
- apiGroups: ['policy']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames: ['cephfs-csi-provisioner-psp']
|
||||
|
||||
---
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: cephfs-csi-provisioner-psp
|
||||
# replace with non-default namespace name
|
||||
namespace: default
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: cephfs-csi-provisioner
|
||||
# replace with non-default namespace name
|
||||
namespace: default
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: cephfs-csi-provisioner-psp
|
||||
apiGroup: rbac.authorization.k8s.io
|
@ -1,77 +0,0 @@
|
||||
---
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: nfs-csi-nodeplugin-psp
|
||||
spec:
|
||||
allowPrivilegeEscalation: true
|
||||
allowedCapabilities:
|
||||
- 'SYS_ADMIN'
|
||||
fsGroup:
|
||||
rule: RunAsAny
|
||||
privileged: true
|
||||
hostNetwork: true
|
||||
hostPID: true
|
||||
runAsUser:
|
||||
rule: RunAsAny
|
||||
seLinux:
|
||||
rule: RunAsAny
|
||||
supplementalGroups:
|
||||
rule: RunAsAny
|
||||
volumes:
|
||||
- 'configMap'
|
||||
- 'emptyDir'
|
||||
- 'projected'
|
||||
- 'secret'
|
||||
- 'hostPath'
|
||||
allowedHostPaths:
|
||||
- pathPrefix: '/dev'
|
||||
readOnly: false
|
||||
- pathPrefix: '/run/mount'
|
||||
readOnly: false
|
||||
- pathPrefix: '/sys'
|
||||
readOnly: false
|
||||
- pathPrefix: '/etc/selinux'
|
||||
readOnly: true
|
||||
- pathPrefix: '/lib/modules'
|
||||
readOnly: true
|
||||
- pathPrefix: '/var/lib/kubelet/pods'
|
||||
readOnly: false
|
||||
- pathPrefix: '/var/lib/kubelet/plugins/nfs.csi.ceph.com'
|
||||
readOnly: false
|
||||
- pathPrefix: '/var/lib/kubelet/plugins_registry'
|
||||
readOnly: false
|
||||
- pathPrefix: '/var/lib/kubelet/plugins'
|
||||
readOnly: false
|
||||
hostPorts:
|
||||
- min: 29653
|
||||
max: 29653
|
||||
---
|
||||
kind: Role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: nfs-csi-nodeplugin-psp
|
||||
# replace with non-default namespace name
|
||||
namespace: default
|
||||
rules:
|
||||
- apiGroups: ['policy']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames: ['nfs-csi-nodeplugin-psp']
|
||||
|
||||
---
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: nfs-csi-nodeplugin-psp
|
||||
# replace with non-default namespace name
|
||||
namespace: default
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: nfs-csi-nodeplugin
|
||||
# replace with non-default namespace name
|
||||
namespace: default
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: nfs-csi-nodeplugin-psp
|
||||
apiGroup: rbac.authorization.k8s.io
|
@ -1,55 +0,0 @@
|
||||
---
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: nfs-csi-provisioner-psp
|
||||
spec:
|
||||
fsGroup:
|
||||
rule: RunAsAny
|
||||
runAsUser:
|
||||
rule: RunAsAny
|
||||
seLinux:
|
||||
rule: RunAsAny
|
||||
supplementalGroups:
|
||||
rule: RunAsAny
|
||||
volumes:
|
||||
- 'configMap'
|
||||
- 'emptyDir'
|
||||
- 'projected'
|
||||
- 'secret'
|
||||
- 'hostPath'
|
||||
allowedHostPaths:
|
||||
- pathPrefix: '/dev'
|
||||
readOnly: false
|
||||
- pathPrefix: '/sys'
|
||||
readOnly: false
|
||||
- pathPrefix: '/lib/modules'
|
||||
readOnly: true
|
||||
---
|
||||
kind: Role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: nfs-csi-provisioner-psp
|
||||
# replace with non-default namespace name
|
||||
namespace: default
|
||||
rules:
|
||||
- apiGroups: ['policy']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames: ['nfs-csi-provisioner-psp']
|
||||
---
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: nfs-csi-provisioner-psp
|
||||
# replace with non-default namespace name
|
||||
namespace: default
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: nfs-csi-provisioner
|
||||
# replace with non-default namespace name
|
||||
namespace: default
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: nfs-csi-provisioner-psp
|
||||
apiGroup: rbac.authorization.k8s.io
|
@ -1,77 +0,0 @@
|
||||
---
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: rbd-csi-nodeplugin-psp
|
||||
spec:
|
||||
allowPrivilegeEscalation: true
|
||||
allowedCapabilities:
|
||||
- 'SYS_ADMIN'
|
||||
fsGroup:
|
||||
rule: RunAsAny
|
||||
privileged: true
|
||||
hostNetwork: true
|
||||
hostPID: true
|
||||
runAsUser:
|
||||
rule: RunAsAny
|
||||
seLinux:
|
||||
rule: RunAsAny
|
||||
supplementalGroups:
|
||||
rule: RunAsAny
|
||||
volumes:
|
||||
- 'configMap'
|
||||
- 'emptyDir'
|
||||
- 'projected'
|
||||
- 'hostPath'
|
||||
- 'secret'
|
||||
allowedHostPaths:
|
||||
- pathPrefix: '/dev'
|
||||
readOnly: false
|
||||
- pathPrefix: '/run/mount'
|
||||
readOnly: false
|
||||
- pathPrefix: '/sys'
|
||||
readOnly: false
|
||||
- pathPrefix: '/etc/selinux'
|
||||
readOnly: true
|
||||
- pathPrefix: '/lib/modules'
|
||||
readOnly: true
|
||||
- pathPrefix: '/var/lib/kubelet/pods'
|
||||
readOnly: false
|
||||
- pathPrefix: '/var/log/ceph'
|
||||
readOnly: false
|
||||
- pathPrefix: '/var/lib/kubelet/plugins/rbd.csi.ceph.com'
|
||||
readOnly: false
|
||||
- pathPrefix: '/var/lib/kubelet/plugins_registry'
|
||||
readOnly: false
|
||||
- pathPrefix: '/var/lib/kubelet/plugins'
|
||||
readOnly: false
|
||||
|
||||
---
|
||||
kind: Role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: rbd-csi-nodeplugin-psp
|
||||
# replace with non-default namespace name
|
||||
namespace: default
|
||||
rules:
|
||||
- apiGroups: ['policy']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames: ['rbd-csi-nodeplugin-psp']
|
||||
|
||||
---
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: rbd-csi-nodeplugin-psp
|
||||
# replace with non-default namespace name
|
||||
namespace: default
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: rbd-csi-nodeplugin
|
||||
# replace with non-default namespace name
|
||||
namespace: default
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: rbd-csi-nodeplugin-psp
|
||||
apiGroup: rbac.authorization.k8s.io
|
@ -1,57 +0,0 @@
|
||||
---
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: rbd-csi-provisioner-psp
|
||||
spec:
|
||||
fsGroup:
|
||||
rule: RunAsAny
|
||||
runAsUser:
|
||||
rule: RunAsAny
|
||||
seLinux:
|
||||
rule: RunAsAny
|
||||
supplementalGroups:
|
||||
rule: RunAsAny
|
||||
volumes:
|
||||
- 'configMap'
|
||||
- 'emptyDir'
|
||||
- 'projected'
|
||||
- 'secret'
|
||||
- 'hostPath'
|
||||
allowedHostPaths:
|
||||
- pathPrefix: '/dev'
|
||||
readOnly: false
|
||||
- pathPrefix: '/sys'
|
||||
readOnly: false
|
||||
- pathPrefix: '/lib/modules'
|
||||
readOnly: true
|
||||
|
||||
---
|
||||
kind: Role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
# replace with non-default namespace name
|
||||
namespace: default
|
||||
name: rbd-csi-provisioner-psp
|
||||
rules:
|
||||
- apiGroups: ['policy']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames: ['rbd-csi-provisioner-psp']
|
||||
|
||||
---
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: rbd-csi-provisioner-psp
|
||||
# replace with non-default namespace name
|
||||
namespace: default
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: rbd-csi-provisioner
|
||||
# replace with non-default namespace name
|
||||
namespace: default
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: rbd-csi-provisioner-psp
|
||||
apiGroup: rbac.authorization.k8s.io
|
@ -17,6 +17,7 @@
|
||||
- [2.1 Update the CephFS Nodeplugin RBAC](#21-update-the-cephfs-nodeplugin-rbac)
|
||||
- [2.2 Update the CephFS Nodeplugin daemonset](#22-update-the-cephfs-nodeplugin-daemonset)
|
||||
- [2.3 Manual deletion of CephFS Nodeplugin daemonset pods](#23-manual-deletion-of-cephfs-nodeplugin-daemonset-pods)
|
||||
- [Delete removed CephFS PSP, Role and RoleBinding](#delete-removed-cephfs-psp-role-and-rolebinding)
|
||||
- [Upgrading RBD](#upgrading-rbd)
|
||||
- [3. Upgrade RBD Provisioner resources](#3-upgrade-rbd-provisioner-resources)
|
||||
- [3.1 Update the RBD Provisioner RBAC](#31-update-the-rbd-provisioner-rbac)
|
||||
@ -24,6 +25,7 @@
|
||||
- [4. Upgrade RBD Nodeplugin resources](#4-upgrade-rbd-nodeplugin-resources)
|
||||
- [4.1 Update the RBD Nodeplugin RBAC](#41-update-the-rbd-nodeplugin-rbac)
|
||||
- [4.2 Update the RBD Nodeplugin daemonset](#42-update-the-rbd-nodeplugin-daemonset)
|
||||
- [Delete removed RBD PSP, Role and RoleBinding](#delete-removed-rbd-psp-role-and-rolebinding)
|
||||
- [Upgrading NFS](#upgrading-nfs)
|
||||
- [5. Upgrade NFS Provisioner resources](#5-upgrade-nfs-provisioner-resources)
|
||||
- [5.1 Update the NFS Provisioner RBAC](#51-update-the-nfs-provisioner-rbac)
|
||||
@ -231,6 +233,20 @@ For each node:
|
||||
- The pod deletion causes the pods to be restarted and updated automatically
|
||||
on the node.
|
||||
|
||||
#### Delete removed CephFS PSP, Role and RoleBinding
|
||||
|
||||
As PSP is deprecated in Kubernetes v1.21.0. Delete PSP related objects as PSP
|
||||
support for CephFS is removed.
|
||||
|
||||
```console
|
||||
kubectl delete psp cephfs-csi-provisioner-psp --ignore-not-found
|
||||
kubectl delete role cephfs-csi-provisioner-psp --ignore-not-found
|
||||
kubectl delete rolebinding cephfs-csi-provisioner-psp --ignore-not-found
|
||||
kubectl delete psp cephfs-csi-nodeplugin-psp --ignore-not-found
|
||||
kubectl delete role cephfs-csi-nodeplugin-psp --ignore-not-found
|
||||
kubectl delete rolebinding cephfs-csi-nodeplugin-psp --ignore-not-found
|
||||
```
|
||||
|
||||
we have successfully upgraded cephfs csi from v3.6 to v3.7
|
||||
|
||||
### Upgrading RBD
|
||||
@ -297,6 +313,23 @@ daemonset.apps/csi-rbdplugin configured
|
||||
service/csi-metrics-rbdplugin configured
|
||||
```
|
||||
|
||||
#### Delete removed RBD PSP, Role and RoleBinding
|
||||
|
||||
As PSP is deprecated in Kubernetes v1.21.0. Delete PSP related objects as PSP
|
||||
support for RBD is removed.
|
||||
|
||||
```console
|
||||
kubectl delete psp rbd-csi-provisioner-psp --ignore-not-found
|
||||
kubectl delete role rbd-csi-provisioner-psp --ignore-not-found
|
||||
kubectl delete rolebinding rbd-csi-provisioner-psp --ignore-not-found
|
||||
kubectl delete psp rbd-csi-nodeplugin-psp --ignore-not-found
|
||||
kubectl delete role rbd-csi-nodeplugin-psp --ignore-not-found
|
||||
kubectl delete rolebinding rbd-csi-nodeplugin-psp --ignore-not-found
|
||||
kubectl delete psp rbd-csi-vault-token-review-psp --ignore-not-found
|
||||
kubectl delete role rbd-csi-vault-token-review-psp --ignore-not-found
|
||||
kubectl delete rolebinding rbd-csi-vault-token-review-psp --ignore-not-found
|
||||
```
|
||||
|
||||
we have successfully upgraded RBD csi from v3.6 to v3.7
|
||||
|
||||
### Upgrading NFS
|
||||
|
@ -140,16 +140,6 @@ Those manifests deploy service accounts, cluster roles and cluster role
|
||||
bindings. These are shared for both RBD and CephFS CSI plugins, as they require
|
||||
the same permissions.
|
||||
|
||||
**Deploy PodSecurityPolicy resources for sidecar containers and node plugins:**
|
||||
|
||||
**NOTE:** These manifests are required only if [PodSecurityPolicy](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#podsecuritypolicy)
|
||||
admission controller is active on your cluster.
|
||||
|
||||
```bash
|
||||
kubectl create -f csi-provisioner-psp.yaml
|
||||
kubectl create -f csi-nodeplugin-psp.yaml
|
||||
```
|
||||
|
||||
**Deploy ConfigMap for CSI plugins:**
|
||||
|
||||
```bash
|
||||
|
@ -109,16 +109,6 @@ Those manifests deploy service accounts, cluster roles and cluster role
|
||||
bindings. These are shared for both RBD and CephFS CSI plugins, as they require
|
||||
the same permissions.
|
||||
|
||||
**Deploy PodSecurityPolicy resources for sidecar containers and node plugins:**
|
||||
|
||||
**NOTE:** These manifests are required only if [PodSecurityPolicy](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#podsecuritypolicy)
|
||||
admission controller is active on your cluster.
|
||||
|
||||
```bash
|
||||
kubectl create -f csi-provisioner-psp.yaml
|
||||
kubectl create -f csi-nodeplugin-psp.yaml
|
||||
```
|
||||
|
||||
**Deploy ConfigMap for CSI plugins:**
|
||||
|
||||
```bash
|
||||
|
@ -61,7 +61,7 @@ storageclass yaml
|
||||
```
|
||||
|
||||
- For standard templates edit [csi-rbdplugin.yaml](../deploy/rbd/kubernetes/csi-rbdplugin.yaml)
|
||||
to update `hostPath` for `ceph-logdir`, also edit psp [csi-nodeplugin-psp.yaml](../deploy/rbd/kubernetes/csi-nodeplugin-psp.yaml)
|
||||
to update `hostPath` for `ceph-logdir`.
|
||||
to update `pathPrefix` spec entries.
|
||||
- Update the StorageClass with the customized log directory path
|
||||
- Now update rbd StorageClass for `cephLogDir`, for example
|
||||
|
@ -34,10 +34,8 @@ import (
|
||||
var (
|
||||
cephFSProvisioner = "csi-cephfsplugin-provisioner.yaml"
|
||||
cephFSProvisionerRBAC = "csi-provisioner-rbac.yaml"
|
||||
cephFSProvisionerPSP = "csi-provisioner-psp.yaml"
|
||||
cephFSNodePlugin = "csi-cephfsplugin.yaml"
|
||||
cephFSNodePluginRBAC = "csi-nodeplugin-rbac.yaml"
|
||||
cephFSNodePluginPSP = "csi-nodeplugin-psp.yaml"
|
||||
cephFSDeploymentName = "csi-cephfsplugin-provisioner"
|
||||
cephFSDeamonSetName = "csi-cephfsplugin"
|
||||
cephFSContainerName = "csi-cephfsplugin"
|
||||
@ -83,10 +81,6 @@ func createORDeleteCephfsResources(action kubectlAction) {
|
||||
filename: cephFSDirPath + cephFSProvisionerRBAC,
|
||||
namespace: cephCSINamespace,
|
||||
},
|
||||
&yamlResourceNamespaced{
|
||||
filename: cephFSDirPath + cephFSProvisionerPSP,
|
||||
namespace: cephCSINamespace,
|
||||
},
|
||||
// the provisioner itself
|
||||
&yamlResourceNamespaced{
|
||||
filename: cephFSDirPath + cephFSProvisioner,
|
||||
@ -98,10 +92,6 @@ func createORDeleteCephfsResources(action kubectlAction) {
|
||||
filename: cephFSDirPath + cephFSNodePluginRBAC,
|
||||
namespace: cephCSINamespace,
|
||||
},
|
||||
&yamlResourceNamespaced{
|
||||
filename: cephFSDirPath + cephFSNodePluginPSP,
|
||||
namespace: cephCSINamespace,
|
||||
},
|
||||
// the node-plugin itself
|
||||
&yamlResourceNamespaced{
|
||||
filename: cephFSDirPath + cephFSNodePlugin,
|
||||
|
@ -30,7 +30,6 @@ import (
|
||||
var (
|
||||
vaultExamplePath = "../examples/kms/vault/"
|
||||
vaultServicePath = "vault.yaml"
|
||||
vaultPSPPath = "vault-psp.yaml"
|
||||
vaultRBACPath = "csi-vaulttokenreview-rbac.yaml"
|
||||
vaultConfigPath = "kms-config.yaml"
|
||||
vaultTenantPath = "tenant-sa.yaml"
|
||||
@ -99,15 +98,6 @@ func createORDeleteVault(action kubectlAction) {
|
||||
if err != nil {
|
||||
e2elog.Failf("failed to %s vault configmap %v", action, err)
|
||||
}
|
||||
|
||||
data, err = replaceNamespaceInTemplate(vaultExamplePath + vaultPSPPath)
|
||||
if err != nil {
|
||||
e2elog.Failf("failed to read content from %s %v", vaultExamplePath+vaultPSPPath, err)
|
||||
}
|
||||
err = retryKubectlInput(cephCSINamespace, action, data, deployTimeout)
|
||||
if err != nil {
|
||||
e2elog.Failf("failed to %s vault psp %v", action, err)
|
||||
}
|
||||
}
|
||||
|
||||
// createTenantServiceAccount uses the tenant-sa.yaml example file to create
|
||||
|
10
e2e/nfs.go
10
e2e/nfs.go
@ -37,10 +37,8 @@ import (
|
||||
var (
|
||||
nfsProvisioner = "csi-nfsplugin-provisioner.yaml"
|
||||
nfsProvisionerRBAC = "csi-provisioner-rbac.yaml"
|
||||
nfsProvisionerPSP = "csi-provisioner-psp.yaml"
|
||||
nfsNodePlugin = "csi-nfsplugin.yaml"
|
||||
nfsNodePluginRBAC = "csi-nodeplugin-rbac.yaml"
|
||||
nfsNodePluginPSP = "csi-nodeplugin-psp.yaml"
|
||||
nfsRookCephNFS = "rook-nfs.yaml"
|
||||
nfsDeploymentName = "csi-nfsplugin-provisioner"
|
||||
nfsDeamonSetName = "csi-nfsplugin"
|
||||
@ -95,10 +93,6 @@ func createORDeleteNFSResources(f *framework.Framework, action kubectlAction) {
|
||||
filename: nfsDirPath + nfsProvisionerRBAC,
|
||||
namespace: cephCSINamespace,
|
||||
},
|
||||
&yamlResourceNamespaced{
|
||||
filename: nfsDirPath + nfsProvisionerPSP,
|
||||
namespace: cephCSINamespace,
|
||||
},
|
||||
// the provisioner itself
|
||||
&yamlResourceNamespaced{
|
||||
filename: nfsDirPath + nfsProvisioner,
|
||||
@ -110,10 +104,6 @@ func createORDeleteNFSResources(f *framework.Framework, action kubectlAction) {
|
||||
filename: nfsDirPath + nfsNodePluginRBAC,
|
||||
namespace: cephCSINamespace,
|
||||
},
|
||||
&yamlResourceNamespaced{
|
||||
filename: nfsDirPath + nfsNodePluginPSP,
|
||||
namespace: cephCSINamespace,
|
||||
},
|
||||
// the node-plugin itself
|
||||
&yamlResourceNamespaced{
|
||||
filename: nfsDirPath + nfsNodePlugin,
|
||||
|
10
e2e/rbd.go
10
e2e/rbd.go
@ -38,10 +38,8 @@ import (
|
||||
var (
|
||||
rbdProvisioner = "csi-rbdplugin-provisioner.yaml"
|
||||
rbdProvisionerRBAC = "csi-provisioner-rbac.yaml"
|
||||
rbdProvisionerPSP = "csi-provisioner-psp.yaml"
|
||||
rbdNodePlugin = "csi-rbdplugin.yaml"
|
||||
rbdNodePluginRBAC = "csi-nodeplugin-rbac.yaml"
|
||||
rbdNodePluginPSP = "csi-nodeplugin-psp.yaml"
|
||||
configMap = "csi-config-map.yaml"
|
||||
cephConfconfigMap = "ceph-conf.yaml"
|
||||
csiDriverObject = "csidriver.yaml"
|
||||
@ -145,10 +143,6 @@ func createORDeleteRbdResources(action kubectlAction) {
|
||||
filename: rbdDirPath + rbdProvisionerRBAC,
|
||||
namespace: cephCSINamespace,
|
||||
},
|
||||
&yamlResourceNamespaced{
|
||||
filename: rbdDirPath + rbdProvisionerPSP,
|
||||
namespace: cephCSINamespace,
|
||||
},
|
||||
// the provisioner itself
|
||||
&yamlResourceNamespaced{
|
||||
filename: rbdDirPath + rbdProvisioner,
|
||||
@ -161,10 +155,6 @@ func createORDeleteRbdResources(action kubectlAction) {
|
||||
filename: rbdDirPath + rbdNodePluginRBAC,
|
||||
namespace: cephCSINamespace,
|
||||
},
|
||||
&yamlResourceNamespaced{
|
||||
filename: rbdDirPath + rbdNodePluginPSP,
|
||||
namespace: cephCSINamespace,
|
||||
},
|
||||
// the node-plugin itself
|
||||
&yamlResourceNamespaced{
|
||||
filename: rbdDirPath + rbdNodePlugin,
|
||||
|
@ -1,47 +0,0 @@
|
||||
---
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: rbd-csi-vault-token-review-psp
|
||||
spec:
|
||||
fsGroup:
|
||||
rule: RunAsAny
|
||||
runAsUser:
|
||||
rule: RunAsAny
|
||||
seLinux:
|
||||
rule: RunAsAny
|
||||
supplementalGroups:
|
||||
rule: RunAsAny
|
||||
volumes:
|
||||
- 'configMap'
|
||||
- 'secret'
|
||||
|
||||
---
|
||||
kind: Role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
# replace with non-default namespace name
|
||||
namespace: default
|
||||
name: rbd-csi-vault-token-review-psp
|
||||
rules:
|
||||
- apiGroups: ['policy']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames: ['rbd-csi-vault-token-review-psp']
|
||||
|
||||
---
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: rbd-csi-vault-token-review-psp
|
||||
# replace with non-default namespace name
|
||||
namespace: default
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: rbd-csi-vault-token-review
|
||||
# replace with non-default namespace name
|
||||
namespace: default
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: rbd-csi-vault-token-review-psp
|
||||
apiGroup: rbac.authorization.k8s.io
|
@ -169,7 +169,7 @@ install_cephcsi_helm_charts() {
|
||||
fi
|
||||
# install ceph-csi-cephfs and ceph-csi-rbd charts
|
||||
# shellcheck disable=SC2086
|
||||
"${HELM}" install --namespace ${NAMESPACE} --set provisioner.fullnameOverride=csi-cephfsplugin-provisioner --set nodeplugin.fullnameOverride=csi-cephfsplugin --set configMapName=ceph-csi-config --set provisioner.podSecurityPolicy.enabled=true --set nodeplugin.podSecurityPolicy.enabled=true --set provisioner.replicaCount=1 ${SET_SC_TEMPLATE_VALUES} ${CEPHFS_SECRET_TEMPLATE_VALUES} ${CEPHFS_CHART_NAME} "${SCRIPT_DIR}"/../charts/ceph-csi-cephfs
|
||||
"${HELM}" install --namespace ${NAMESPACE} --set provisioner.fullnameOverride=csi-cephfsplugin-provisioner --set nodeplugin.fullnameOverride=csi-cephfsplugin --set configMapName=ceph-csi-config --set provisioner.replicaCount=1 ${SET_SC_TEMPLATE_VALUES} ${CEPHFS_SECRET_TEMPLATE_VALUES} ${CEPHFS_CHART_NAME} "${SCRIPT_DIR}"/../charts/ceph-csi-cephfs
|
||||
check_deployment_status app=ceph-csi-cephfs ${NAMESPACE}
|
||||
check_daemonset_status app=ceph-csi-cephfs ${NAMESPACE}
|
||||
|
||||
@ -179,7 +179,7 @@ install_cephcsi_helm_charts() {
|
||||
kubectl_retry delete cm ceph-config --namespace ${NAMESPACE}
|
||||
|
||||
# shellcheck disable=SC2086
|
||||
"${HELM}" install --namespace ${NAMESPACE} --set provisioner.fullnameOverride=csi-rbdplugin-provisioner --set nodeplugin.fullnameOverride=csi-rbdplugin --set configMapName=ceph-csi-config --set provisioner.podSecurityPolicy.enabled=true --set nodeplugin.podSecurityPolicy.enabled=true --set provisioner.replicaCount=1 ${SET_SC_TEMPLATE_VALUES} ${RBD_SECRET_TEMPLATE_VALUES} ${RBD_CHART_NAME} "${SCRIPT_DIR}"/../charts/ceph-csi-rbd --set topology.enabled=true --set topology.domainLabels="{${NODE_LABEL_REGION},${NODE_LABEL_ZONE}}" --set provisioner.maxSnapshotsOnImage=3 --set provisioner.minSnapshotsOnImage=2
|
||||
"${HELM}" install --namespace ${NAMESPACE} --set provisioner.fullnameOverride=csi-rbdplugin-provisioner --set nodeplugin.fullnameOverride=csi-rbdplugin --set configMapName=ceph-csi-config --set provisioner.replicaCount=1 ${SET_SC_TEMPLATE_VALUES} ${RBD_SECRET_TEMPLATE_VALUES} ${RBD_CHART_NAME} "${SCRIPT_DIR}"/../charts/ceph-csi-rbd --set topology.enabled=true --set topology.domainLabels="{${NODE_LABEL_REGION},${NODE_LABEL_ZONE}}" --set provisioner.maxSnapshotsOnImage=3 --set provisioner.minSnapshotsOnImage=2
|
||||
|
||||
check_deployment_status app=ceph-csi-rbd ${NAMESPACE}
|
||||
check_daemonset_status app=ceph-csi-rbd ${NAMESPACE}
|
||||
|
@ -61,17 +61,14 @@ function create_or_delete_resource() {
|
||||
local namespace=$2
|
||||
temp_rbac=${TEMP_DIR}/snapshot-rbac.yaml
|
||||
temp_snap_controller=${TEMP_DIR}/snapshot-controller.yaml
|
||||
snapshotter_psp="${SCRIPT_DIR}/snapshot-controller-psp.yaml"
|
||||
mkdir -p "${TEMP_DIR}"
|
||||
curl -o "${temp_rbac}" "${SNAPSHOT_RBAC}"
|
||||
curl -o "${temp_snap_controller}" "${SNAPSHOT_CONTROLLER}"
|
||||
sed -i "s/namespace: kube-system/namespace: ${namespace}/g" "${temp_rbac}"
|
||||
sed -i "s/namespace: kube-system/namespace: ${namespace}/g" "${temp_snap_controller}"
|
||||
sed -i "s/namespace: kube-system/namespace: ${namespace}/g" "${snapshotter_psp}"
|
||||
sed -i "s/canary/${SNAPSHOT_VERSION}/g" "${temp_snap_controller}"
|
||||
|
||||
kubectl "${operation}" -f "${temp_rbac}"
|
||||
kubectl "${operation}" -f "${snapshotter_psp}"
|
||||
kubectl "${operation}" -f "${temp_snap_controller}" -n "${namespace}"
|
||||
kubectl "${operation}" -f "${SNAPSHOTCLASS}"
|
||||
kubectl "${operation}" -f "${VOLUME_SNAPSHOT_CONTENT}"
|
||||
|
@ -212,9 +212,6 @@ CSI_IMAGE_VERSION=${CSI_IMAGE_VERSION:-"v3.7-canary"}
|
||||
#feature-gates for kube
|
||||
K8S_FEATURE_GATES=${K8S_FEATURE_GATES:-""}
|
||||
|
||||
#extra-config for kube https://minikube.sigs.k8s.io/docs/reference/configuration/kubernetes/
|
||||
EXTRA_CONFIG_PSP="--extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy --addons=pod-security-policy"
|
||||
|
||||
# kubelet.resolv-conf needs to point to a file, not a symlink
|
||||
# the default minikube VM has /etc/resolv.conf -> /run/systemd/resolve/resolv.conf
|
||||
RESOLV_CONF='/run/systemd/resolve/resolv.conf'
|
||||
@ -265,7 +262,7 @@ up)
|
||||
K8S_FEATURE_GATES="${K8S_FEATURE_GATES},RecoverVolumeExpansionFailure=true"
|
||||
fi
|
||||
# shellcheck disable=SC2086
|
||||
${minikube} start --force --memory="${MEMORY}" --cpus="${CPUS}" -b kubeadm --kubernetes-version="${KUBE_VERSION}" --driver="${VM_DRIVER}" --feature-gates="${K8S_FEATURE_GATES}" --cni="${CNI}" ${EXTRA_CONFIG} ${EXTRA_CONFIG_PSP} --wait-timeout="${MINIKUBE_WAIT_TIMEOUT}" --wait="${MINIKUBE_WAIT}" --delete-on-failure ${DISK_CONFIG}
|
||||
${minikube} start --force --memory="${MEMORY}" --cpus="${CPUS}" -b kubeadm --kubernetes-version="${KUBE_VERSION}" --driver="${VM_DRIVER}" --feature-gates="${K8S_FEATURE_GATES}" --cni="${CNI}" ${EXTRA_CONFIG} --wait-timeout="${MINIKUBE_WAIT_TIMEOUT}" --wait="${MINIKUBE_WAIT}" --delete-on-failure ${DISK_CONFIG}
|
||||
|
||||
# create a link so the default dataDirHostPath will work for this
|
||||
# environment
|
||||
|
135
scripts/psp.yaml
135
scripts/psp.yaml
@ -1,135 +0,0 @@
|
||||
# Required PodSecurityPolicies, Roles and RoleBindings
|
||||
# for minikube to bootstrap when PSPs are enabled
|
||||
# https://minikube.sigs.k8s.io/docs/tutorials/using_psp/
|
||||
---
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: privileged
|
||||
annotations:
|
||||
seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
|
||||
labels:
|
||||
addonmanager.kubernetes.io/mode: EnsureExists
|
||||
spec:
|
||||
privileged: true
|
||||
allowPrivilegeEscalation: true
|
||||
allowedCapabilities:
|
||||
- "*"
|
||||
volumes:
|
||||
- "*"
|
||||
hostNetwork: true
|
||||
hostPorts:
|
||||
- min: 0
|
||||
max: 65535
|
||||
hostIPC: true
|
||||
hostPID: true
|
||||
runAsUser:
|
||||
rule: 'RunAsAny'
|
||||
seLinux:
|
||||
rule: 'RunAsAny'
|
||||
supplementalGroups:
|
||||
rule: 'RunAsAny'
|
||||
fsGroup:
|
||||
rule: 'RunAsAny'
|
||||
---
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: restricted
|
||||
labels:
|
||||
addonmanager.kubernetes.io/mode: EnsureExists
|
||||
spec:
|
||||
privileged: false
|
||||
allowPrivilegeEscalation: false
|
||||
requiredDropCapabilities:
|
||||
- ALL
|
||||
volumes:
|
||||
- 'configMap'
|
||||
- 'emptyDir'
|
||||
- 'projected'
|
||||
- 'secret'
|
||||
- 'downwardAPI'
|
||||
- 'persistentVolumeClaim'
|
||||
hostNetwork: false
|
||||
hostIPC: false
|
||||
hostPID: false
|
||||
runAsUser:
|
||||
rule: 'MustRunAsNonRoot'
|
||||
seLinux:
|
||||
rule: 'RunAsAny'
|
||||
supplementalGroups:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
# Forbid adding the root group.
|
||||
- min: 1
|
||||
max: 65535
|
||||
fsGroup:
|
||||
rule: 'MustRunAs'
|
||||
ranges:
|
||||
# Forbid adding the root group.
|
||||
- min: 1
|
||||
max: 65535
|
||||
readOnlyRootFilesystem: false
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: psp:privileged
|
||||
labels:
|
||||
addonmanager.kubernetes.io/mode: EnsureExists
|
||||
rules:
|
||||
- apiGroups: ['policy']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames:
|
||||
- privileged
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: psp:restricted
|
||||
labels:
|
||||
addonmanager.kubernetes.io/mode: EnsureExists
|
||||
rules:
|
||||
- apiGroups: ['policy']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames:
|
||||
- restricted
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: default:restricted
|
||||
labels:
|
||||
addonmanager.kubernetes.io/mode: EnsureExists
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: psp:restricted
|
||||
subjects:
|
||||
- kind: Group
|
||||
name: system:authenticated
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: default:privileged
|
||||
namespace: kube-system
|
||||
labels:
|
||||
addonmanager.kubernetes.io/mode: EnsureExists
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: psp:privileged
|
||||
subjects:
|
||||
- kind: Group
|
||||
name: system:masters
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
- kind: Group
|
||||
name: system:nodes
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
- kind: Group
|
||||
name: system:serviceaccounts:kube-system
|
||||
apiGroup: rbac.authorization.k8s.io
|
@ -1,55 +0,0 @@
|
||||
---
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
metadata:
|
||||
name: csi-snapshotter-psp
|
||||
namespace: kube-system
|
||||
spec:
|
||||
allowPrivilegeEscalation: true
|
||||
allowedCapabilities:
|
||||
- "SYS_ADMIN"
|
||||
fsGroup:
|
||||
rule: RunAsAny
|
||||
privileged: true
|
||||
runAsUser:
|
||||
rule: RunAsAny
|
||||
seLinux:
|
||||
rule: RunAsAny
|
||||
supplementalGroups:
|
||||
rule: RunAsAny
|
||||
volumes:
|
||||
- "configMap"
|
||||
- "emptyDir"
|
||||
- "secret"
|
||||
- "projected"
|
||||
- "hostPath"
|
||||
|
||||
---
|
||||
kind: Role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: csi-snapshotter-psp
|
||||
# replace with non-kube-system namespace name
|
||||
namespace: kube-system
|
||||
rules:
|
||||
- apiGroups: ["policy"]
|
||||
resources: ["podsecuritypolicies"]
|
||||
verbs: ["use"]
|
||||
resourceNames: ["csi-snapshotter-psp"]
|
||||
|
||||
---
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: csi-snapshotter-psp
|
||||
# replace with non-kube-system namespace name
|
||||
namespace: kube-system
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: snapshot-controller
|
||||
# replace with non-kube-system namespace name
|
||||
namespace: kube-system
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: csi-snapshotter-psp
|
||||
apiGroup: rbac.authorization.k8s.io
|
Loading…
Reference in New Issue
Block a user