From d56c9abbce3c90c4c9339b299fb44d153145812c Mon Sep 17 00:00:00 2001 From: Ruslan Khizhnyak Date: Thu, 21 Mar 2024 01:58:05 +0300 Subject: [PATCH] helm: CSIDriver add labels and seLinuxMount disabling method Signed-off-by: Ruslan Khizhnyak --- .../templates/csidriver-crd.yaml | 10 ++++++++-- charts/ceph-csi-cephfs/values.yaml | 1 + .../ceph-csi-rbd/templates/csidriver-crd.yaml | 10 ++++++++-- charts/ceph-csi-rbd/values.yaml | 18 ++++++++++++++++++ 4 files changed, 35 insertions(+), 4 deletions(-) diff --git a/charts/ceph-csi-cephfs/templates/csidriver-crd.yaml b/charts/ceph-csi-cephfs/templates/csidriver-crd.yaml index f6fe14a3e..5aacbe271 100644 --- a/charts/ceph-csi-cephfs/templates/csidriver-crd.yaml +++ b/charts/ceph-csi-cephfs/templates/csidriver-crd.yaml @@ -2,10 +2,16 @@ apiVersion: storage.k8s.io/v1 kind: CSIDriver metadata: name: {{ .Values.driverName }} + labels: + app: {{ include "ceph-csi-cephfs.name" . }} + chart: {{ include "ceph-csi-cephfs.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} spec: attachRequired: false podInfoOnMount: false - fsGroupPolicy: {{ default "File" .Values.CSIDriver.fsGroupPolicy }} -{{- if semverCompare ">= 1.25.x" .Capabilities.KubeVersion.Version }} + fsGroupPolicy: {{ .Values.CSIDriver.fsGroupPolicy }} +{{- if and (semverCompare ">= 1.25.x" .Capabilities.KubeVersion.Version) .Values.seLinuxMount }} seLinuxMount: true {{- end }} diff --git a/charts/ceph-csi-cephfs/values.yaml b/charts/ceph-csi-cephfs/values.yaml index f222a6554..36d350b7c 100644 --- a/charts/ceph-csi-cephfs/values.yaml +++ b/charts/ceph-csi-cephfs/values.yaml @@ -57,6 +57,7 @@ sidecarLogLevel: 1 # accessModes contains ReadWriteOnce. CSIDriver: fsGroupPolicy: "File" + seLinuxMount: true nodeplugin: name: nodeplugin diff --git a/charts/ceph-csi-rbd/templates/csidriver-crd.yaml b/charts/ceph-csi-rbd/templates/csidriver-crd.yaml index 99026f628..d1524527e 100644 --- a/charts/ceph-csi-rbd/templates/csidriver-crd.yaml +++ b/charts/ceph-csi-rbd/templates/csidriver-crd.yaml @@ -2,10 +2,16 @@ apiVersion: storage.k8s.io/v1 kind: CSIDriver metadata: name: {{ .Values.driverName }} + labels: + app: {{ include "ceph-csi-rbd.name" . }} + chart: {{ include "ceph-csi-rbd.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} spec: attachRequired: true podInfoOnMount: false - fsGroupPolicy: File -{{- if semverCompare ">= 1.25.x" .Capabilities.KubeVersion.Version }} + fsGroupPolicy: {{ .Values.CSIDriver.fsGroupPolicy }} +{{- if and (semverCompare ">= 1.25.x" .Capabilities.KubeVersion.Version) .Values.seLinuxMount }} seLinuxMount: true {{- end }} diff --git a/charts/ceph-csi-rbd/values.yaml b/charts/ceph-csi-rbd/values.yaml index 1ad00ffa5..20e39cd8d 100644 --- a/charts/ceph-csi-rbd/values.yaml +++ b/charts/ceph-csi-rbd/values.yaml @@ -69,6 +69,24 @@ logLevel: 5 # sidecarLogLevel is the variable for Kubernetes sidecar container's log level sidecarLogLevel: 1 +# Set fsGroupPolicy for CSI Driver object spec +# https://kubernetes-csi.github.io/docs/support-fsgroup.html +# The following modes are supported: +# - None: Indicates that volumes will be mounted with no modifications, as the +# CSI volume driver does not support these operations. +# - File: Indicates that the CSI volume driver supports volume ownership and +# permission change via fsGroup, and Kubernetes may use fsGroup to change +# permissions and ownership of the volume to match user requested fsGroup in +# the pod's SecurityPolicy regardless of fstype or access mode. +# - ReadWriteOnceWithFSType: Indicates that volumes will be examined to +# determine if volume ownership and permissions should be modified to match +# the pod's security policy. +# Changes will only occur if the fsType is defined and the persistent volume's +# accessModes contains ReadWriteOnce. +CSIDriver: + fsGroupPolicy: "File" + seLinuxMount: true + nodeplugin: name: nodeplugin # set user created priorityclassName for csi plugin pods. default is