mirrors/ceph-csi
1
0
Fork 0
mirror of https://github.com/ceph/ceph-csi.git synced 2024-09-19 15:09:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

CSI: run all containers as privileged in daemonset pods

Browse Source 
On systems with SELinux enabled, non-privileged containers
can't access data of privileged containers. Since the socket
is exposed by privileged containers, all sidecars must be
privileged too. This is needed only for containers running
in daemonset as we are using bidirectional mounts in daemonset

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
(cherry picked from commit e0cc7740f6)
This commit is contained in:
Madhu Rajanna 2020-01-13 09:44:18 +05:30 committed by Madhu Rajanna
parent a816d41e4f
commit f4d05a3ef9
6 changed files with 42 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
charts/ceph-csi-cephfs/templates/nodeplugin-daemonset.yaml
View File

@ -31,6 +31,11 @@ spec:
dnsPolicy: ClusterFirstWithHostNet dnsPolicy: ClusterFirstWithHostNet
containers: containers:
- name: driver-registrar - name: driver-registrar
# This is necessary only for systems with SELinux, where
# non-privileged sidecar containers cannot access unix domain socket
# created by privileged CSI driver container.
securityContext:
privileged: true
image: "{{ .Values.nodeplugin.registrar.image.repository }}:{{ .Values.nodeplugin.registrar.image.tag }}" image: "{{ .Values.nodeplugin.registrar.image.repository }}:{{ .Values.nodeplugin.registrar.image.tag }}"
imagePullPolicy: {{ .Values.nodeplugin.registrar.image.pullPolicy }} imagePullPolicy: {{ .Values.nodeplugin.registrar.image.pullPolicy }}
args: args:
@ -127,6 +132,8 @@ spec:
{{ toYaml .Values.nodeplugin.plugin.resources | indent 12 }} {{ toYaml .Values.nodeplugin.plugin.resources | indent 12 }}
{{- if .Values.nodeplugin.httpMetrics.enabled }} {{- if .Values.nodeplugin.httpMetrics.enabled }}
- name: liveness-prometheus - name: liveness-prometheus
securityContext:
privileged: true
image: "{{ .Values.nodeplugin.plugin.image.repository }}:{{ .Values.nodeplugin.plugin.image.tag }}" image: "{{ .Values.nodeplugin.plugin.image.repository }}:{{ .Values.nodeplugin.plugin.image.tag }}"
imagePullPolicy: {{ .Values.nodeplugin.plugin.image.pullPolicy }} imagePullPolicy: {{ .Values.nodeplugin.plugin.image.pullPolicy }}
args: args:

7
charts/ceph-csi-rbd/templates/nodeplugin-daemonset.yaml
View File

@ -34,6 +34,11 @@ spec:
dnsPolicy: ClusterFirstWithHostNet dnsPolicy: ClusterFirstWithHostNet
containers: containers:
- name: driver-registrar - name: driver-registrar
# This is necessary only for systems with SELinux, where
# non-privileged sidecar containers cannot access unix domain socket
# created by privileged CSI driver container.
securityContext:
privileged: true
image: "{{ .Values.nodeplugin.registrar.image.repository }}:{{ .Values.nodeplugin.registrar.image.tag }}" image: "{{ .Values.nodeplugin.registrar.image.repository }}:{{ .Values.nodeplugin.registrar.image.tag }}"
imagePullPolicy: {{ .Values.nodeplugin.registrar.image.pullPolicy }} imagePullPolicy: {{ .Values.nodeplugin.registrar.image.pullPolicy }}
args: args:
@ -126,6 +131,8 @@ spec:
{{ toYaml .Values.nodeplugin.plugin.resources | indent 12 }} {{ toYaml .Values.nodeplugin.plugin.resources | indent 12 }}
{{- if .Values.nodeplugin.httpMetrics.enabled }} {{- if .Values.nodeplugin.httpMetrics.enabled }}
- name: liveness-prometheus - name: liveness-prometheus
securityContext:
privileged: true
image: "{{ .Values.nodeplugin.plugin.image.repository }}:{{ .Values.nodeplugin.plugin.image.tag }}" image: "{{ .Values.nodeplugin.plugin.image.repository }}:{{ .Values.nodeplugin.plugin.image.tag }}"
imagePullPolicy: {{ .Values.nodeplugin.plugin.image.pullPolicy }} imagePullPolicy: {{ .Values.nodeplugin.plugin.image.pullPolicy }}
args: args:

7
deploy/cephfs/kubernetes/v1.13/csi-cephfsplugin.yaml
View File

@ -20,6 +20,11 @@ spec:
containers: containers:
- name: driver-registrar - name: driver-registrar
image: quay.io/k8scsi/csi-node-driver-registrar:v1.1.0 image: quay.io/k8scsi/csi-node-driver-registrar:v1.1.0
# This is necessary only for systems with SELinux, where
# non-privileged sidecar containers cannot access unix domain socket
# created by privileged CSI driver container.
securityContext:
privileged: true
args: args:
- "--v=5" - "--v=5"
- "--csi-address=/csi/csi.sock" - "--csi-address=/csi/csi.sock"
@ -103,6 +108,8 @@ spec:
mountPath: /tmp/csi/keys mountPath: /tmp/csi/keys
- name: liveness-prometheus - name: liveness-prometheus
image: quay.io/cephcsi/cephcsi:v1.2.2 image: quay.io/cephcsi/cephcsi:v1.2.2
securityContext:
privileged: true
args: args:
- "--type=liveness" - "--type=liveness"
- "--endpoint=$(CSI_ENDPOINT)" - "--endpoint=$(CSI_ENDPOINT)"

7
deploy/cephfs/kubernetes/v1.14+/csi-cephfsplugin.yaml
View File

@ -20,6 +20,11 @@ spec:
containers: containers:
- name: driver-registrar - name: driver-registrar
image: quay.io/k8scsi/csi-node-driver-registrar:v1.1.0 image: quay.io/k8scsi/csi-node-driver-registrar:v1.1.0
# This is necessary only for systems with SELinux, where
# non-privileged sidecar containers cannot access unix domain socket
# created by privileged CSI driver container.
securityContext:
privileged: true
args: args:
- "--v=5" - "--v=5"
- "--csi-address=/csi/csi.sock" - "--csi-address=/csi/csi.sock"
@ -102,6 +107,8 @@ spec:
mountPath: /tmp/csi/keys mountPath: /tmp/csi/keys
- name: liveness-prometheus - name: liveness-prometheus
image: quay.io/cephcsi/cephcsi:v1.2.2 image: quay.io/cephcsi/cephcsi:v1.2.2
securityContext:
privileged: true
args: args:
- "--type=liveness" - "--type=liveness"
- "--endpoint=$(CSI_ENDPOINT)" - "--endpoint=$(CSI_ENDPOINT)"

7
deploy/rbd/kubernetes/v1.13/csi-rbdplugin.yaml
View File

@ -23,6 +23,11 @@ spec:
containers: containers:
- name: driver-registrar - name: driver-registrar
image: quay.io/k8scsi/csi-node-driver-registrar:v1.1.0 image: quay.io/k8scsi/csi-node-driver-registrar:v1.1.0
# This is necessary only for systems with SELinux, where
# non-privileged sidecar containers cannot access unix domain socket
# created by privileged CSI driver container.
securityContext:
privileged: true
args: args:
- "--v=5" - "--v=5"
- "--csi-address=/csi/csi.sock" - "--csi-address=/csi/csi.sock"
@ -97,6 +102,8 @@ spec:
mountPath: /tmp/csi/keys mountPath: /tmp/csi/keys
- name: liveness-prometheus - name: liveness-prometheus
image: quay.io/cephcsi/cephcsi:v1.2.2 image: quay.io/cephcsi/cephcsi:v1.2.2
securityContext:
privileged: true
args: args:
- "--type=liveness" - "--type=liveness"
- "--endpoint=$(CSI_ENDPOINT)" - "--endpoint=$(CSI_ENDPOINT)"

7
deploy/rbd/kubernetes/v1.14+/csi-rbdplugin.yaml
View File

@ -23,6 +23,11 @@ spec:
containers: containers:
- name: driver-registrar - name: driver-registrar
image: quay.io/k8scsi/csi-node-driver-registrar:v1.1.0 image: quay.io/k8scsi/csi-node-driver-registrar:v1.1.0
# This is necessary only for systems with SELinux, where
# non-privileged sidecar containers cannot access unix domain socket
# created by privileged CSI driver container.
securityContext:
privileged: true
args: args:
- "--v=5" - "--v=5"
- "--csi-address=/csi/csi.sock" - "--csi-address=/csi/csi.sock"
@ -101,6 +106,8 @@ spec:
mountPath: /tmp/csi/keys mountPath: /tmp/csi/keys
- name: liveness-prometheus - name: liveness-prometheus
image: quay.io/cephcsi/cephcsi:v1.2.2 image: quay.io/cephcsi/cephcsi:v1.2.2
securityContext:
privileged: true
args: args:
- "--type=liveness" - "--type=liveness"
- "--endpoint=$(CSI_ENDPOINT)" - "--endpoint=$(CSI_ENDPOINT)"