deploy: allow rbd nodeplugin to read ConfigMaps from Tenants

Tenants can have their own ConfigMap that contains connection parameters to the Vault Service where the PV encyption keys are located. It is possible for a Tenant to use a different Vault Service than the one configured by the Storage Admin who deployed Ceph-CSI. For this, the node-plugin needs to be able to read the ConfigMap from the Tenants namespace. See-also: docs/design/proposals/encryption-with-vault-tokens.md Signed-off-by: Niels de Vos <ndevos@redhat.com>
2024-09-19 15:09:56 +00:00 · 2020-12-16 09:52:36 +01:00 · 2020-12-16 09:52:36 +01:00 · dd29c6c06b
commit dd29c6c06b
parent b3fbcb9c95
2 changed files with 8 additions and 0 deletions
--- a/charts/ceph-csi-rbd/templates/nodeplugin-clusterrole.yaml
+++ b/charts/ceph-csi-rbd/templates/nodeplugin-clusterrole.yaml
@ -15,7 +15,11 @@ rules:
    resources: ["nodes"]
    verbs: ["get"]
 {{- end }}
+  # allow to read Vault Token and connection options from the Tenants namespace
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get"]
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["get"]
 {{- end -}}
--- a/deploy/rbd/kubernetes/csi-nodeplugin-rbac.yaml
+++ b/deploy/rbd/kubernetes/csi-nodeplugin-rbac.yaml
@ -12,9 +12,13 @@ rules:
  - apiGroups: [""]
    resources: ["nodes"]
    verbs: ["get"]
+  # allow to read Vault Token and connection options from the Tenants namespace
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get"]
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["get"]
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1