mirrors/ceph-csi
1
0
Fork 0
mirror of https://github.com/ceph/ceph-csi.git synced 2024-11-09 16:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

deploy: allow rbd nodeplugin to read ConfigMaps from Tenants

Browse Source 
Tenants can have their own ConfigMap that contains connection parameters
to the Vault Service where the PV encyption keys are located. It is
possible for a Tenant to use a different Vault Service than the one
configured by the Storage Admin who deployed Ceph-CSI.

For this, the node-plugin needs to be able to read the ConfigMap from
the Tenants namespace.

See-also: docs/design/proposals/encryption-with-vault-tokens.md
Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
Niels de Vos 2020-12-16 09:52:36 +01:00 committed by mergify[bot]
parent b3fbcb9c95
commit dd29c6c06b
2 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
charts/ceph-csi-rbd/templates/nodeplugin-clusterrole.yaml
View File

@ -15,7 +15,11 @@ rules:
resources: ["nodes"] resources: ["nodes"]
verbs: ["get"] verbs: ["get"]
{{- end }} {{- end }}
# allow to read Vault Token and connection options from the Tenants namespace
- apiGroups: [""] - apiGroups: [""]
resources: ["secrets"] resources: ["secrets"]
verbs: ["get"] verbs: ["get"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get"]
{{- end -}} {{- end -}}

4
deploy/rbd/kubernetes/csi-nodeplugin-rbac.yaml
View File

@ -12,9 +12,13 @@ rules:
- apiGroups: [""] - apiGroups: [""]
resources: ["nodes"] resources: ["nodes"]
verbs: ["get"] verbs: ["get"]
# allow to read Vault Token and connection options from the Tenants namespace
- apiGroups: [""] - apiGroups: [""]
resources: ["secrets"] resources: ["secrets"]
verbs: ["get"] verbs: ["get"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get"]
--- ---
kind: ClusterRoleBinding kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1