deploy: configurable podSecurityContexts in ceph-csi-cephfs

pod-level security contexts for nodeplugin daemonset and provisioner
deployment can be set via helm values.yaml

Signed-off-by: 1602077 <62025739+1602077@users.noreply.github.com>
This commit is contained in:
1602077 2024-06-05 13:27:49 +02:00 committed by mergify[bot]
parent b715bbeb8c
commit ea42a0e873
5 changed files with 10 additions and 0 deletions

View File

@ -4,4 +4,6 @@
## Features ## Features
- deploy: podSecurityContexts can be configured for ceph-csi-cephfs chart in [PR](https://github.com/ceph/ceph-csi/pull/4664).
## NOTE ## NOTE

View File

@ -129,6 +129,7 @@ charts and their default values.
| `nodeplugin.plugin.image.repository` | Nodeplugin image repository URL | `quay.io/cephcsi/cephcsi` | | `nodeplugin.plugin.image.repository` | Nodeplugin image repository URL | `quay.io/cephcsi/cephcsi` |
| `nodeplugin.plugin.image.tag` | Image tag | `canary` | | `nodeplugin.plugin.image.tag` | Image tag | `canary` |
| `nodeplugin.plugin.image.pullPolicy` | Image pull policy | `IfNotPresent` | | `nodeplugin.plugin.image.pullPolicy` | Image pull policy | `IfNotPresent` |
| `nodeplugin.podSecurityContext` | Specifies pod-level security context. | `{}` |
| `nodeplugin.nodeSelector` | Kubernetes `nodeSelector` to add to the Daemonset | `{}` | | `nodeplugin.nodeSelector` | Kubernetes `nodeSelector` to add to the Daemonset | `{}` |
| `nodeplugin.tolerations` | List of Kubernetes `tolerations` to add to the Daemonset | `{}` | | `nodeplugin.tolerations` | List of Kubernetes `tolerations` to add to the Daemonset | `{}` |
| `nodeplugin.forcecephkernelclient` | Set to true to enable Ceph Kernel clients on kernel < 4.17 which support quotas | `true` | | `nodeplugin.forcecephkernelclient` | Set to true to enable Ceph Kernel clients on kernel < 4.17 which support quotas | `true` |
@ -163,6 +164,7 @@ charts and their default values.
| `provisioner.tolerations` | Specifies the tolerations for provisioner deployment | `{}` | | `provisioner.tolerations` | Specifies the tolerations for provisioner deployment | `{}` |
| `provisioner.affinity` | Specifies the affinity for provisioner deployment | `{}` | | `provisioner.affinity` | Specifies the affinity for provisioner deployment | `{}` |
| `provisioner.podSecurityPolicy.enabled` | Specifies whether podSecurityPolicy is enabled | `false` | | `provisioner.podSecurityPolicy.enabled` | Specifies whether podSecurityPolicy is enabled | `false` |
| `provisioner.podSecurityContext` | Specifies pod-level security context. | `{}` |
| `provisionerSocketFile` | The filename of the provisioner socket | `csi-provisioner.sock` | | `provisionerSocketFile` | The filename of the provisioner socket | `csi-provisioner.sock` |
| `pluginSocketFile` | The filename of the plugin socket | `csi.sock` | | `pluginSocketFile` | The filename of the plugin socket | `csi.sock` |
| `readAffinity.enabled` | Enable read affinity for CephFS subvolumes. Recommended to set to true if running kernel 5.8 or newer. | `false` | | `readAffinity.enabled` | Enable read affinity for CephFS subvolumes. Recommended to set to true if running kernel 5.8 or newer. | `false` |

View File

@ -28,6 +28,7 @@ spec:
heritage: {{ .Release.Service }} heritage: {{ .Release.Service }}
{{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }} {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }}
spec: spec:
securityContext: {{ toYaml .Values.nodeplugin.podSecurityContext | nindent 8 }}
serviceAccountName: {{ include "ceph-csi-cephfs.serviceAccountName.nodeplugin" . }} serviceAccountName: {{ include "ceph-csi-cephfs.serviceAccountName.nodeplugin" . }}
{{- if .Values.nodeplugin.priorityClassName }} {{- if .Values.nodeplugin.priorityClassName }}
priorityClassName: {{ .Values.nodeplugin.priorityClassName }} priorityClassName: {{ .Values.nodeplugin.priorityClassName }}

View File

@ -57,6 +57,7 @@ spec:
{{ toYaml .Values.provisioner.affinity | indent 8 -}} {{ toYaml .Values.provisioner.affinity | indent 8 -}}
{{- end -}} {{- end -}}
{{- end }} {{- end }}
securityContext: {{ toYaml .Values.provisioner.podSecurityContext | nindent 8 }}
serviceAccountName: {{ include "ceph-csi-cephfs.serviceAccountName.provisioner" . }} serviceAccountName: {{ include "ceph-csi-cephfs.serviceAccountName.provisioner" . }}
hostNetwork: {{ .Values.provisioner.enableHostNetwork }} hostNetwork: {{ .Values.provisioner.enableHostNetwork }}
{{- if .Values.provisioner.priorityClassName }} {{- if .Values.provisioner.priorityClassName }}

View File

@ -127,6 +127,8 @@ nodeplugin:
affinity: {} affinity: {}
podSecurityContext: {}
# Set to true to enable Ceph Kernel clients # Set to true to enable Ceph Kernel clients
# on kernel < 4.17 which support quotas # on kernel < 4.17 which support quotas
# forcecephkernelclient: true # forcecephkernelclient: true
@ -244,6 +246,8 @@ provisioner:
affinity: {} affinity: {}
podSecurityContext: {}
# readAffinity: # readAffinity:
# Enable read affinity for CephFS subvolumes. Recommended to # Enable read affinity for CephFS subvolumes. Recommended to
# set to true if running kernel 5.8 or newer. # set to true if running kernel 5.8 or newer.