mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-09-19 23:19:52 +00:00
36e099d939
This new Go module allows other projects (like Rook) to consume deployment details (the SCC to get started) directly from Ceph-CSI. Based-on: https://github.com/rook/rook/blob/3c93eb3/cluster/examples/kubernetes/ceph/operator-openshift.yaml#L47-L90 Signed-off-by: Niels de Vos <ndevos@redhat.com>
44 lines
1.4 KiB
YAML
44 lines
1.4 KiB
YAML
---
|
|
kind: SecurityContextConstraints
|
|
apiVersion: security.openshift.io/v1
|
|
metadata:
|
|
name: "{{ .Prefix }}ceph-csi"
|
|
# To allow running privilegedContainers
|
|
allowPrivilegedContainer: true
|
|
# CSI daemonset pod needs hostnetworking
|
|
allowHostNetwork: true
|
|
# This need to be set to true as we use HostPath
|
|
allowHostDirVolumePlugin: true
|
|
priority:
|
|
# SYS_ADMIN is needed for rbd to execture rbd map command
|
|
allowedCapabilities: ["SYS_ADMIN"]
|
|
# Needed as we run liveness container on daemonset pods
|
|
allowHostPorts: true
|
|
# Needed as we are setting this in RBD plugin pod
|
|
allowHostPID: true
|
|
# Required for encryption
|
|
allowHostIPC: true
|
|
# Set to false as we write to RootFilesystem inside csi containers
|
|
readOnlyRootFilesystem: false
|
|
runAsUser:
|
|
type: RunAsAny
|
|
seLinuxContext:
|
|
type: RunAsAny
|
|
fsGroup:
|
|
type: RunAsAny
|
|
supplementalGroups:
|
|
type: RunAsAny
|
|
# The type of volumes which are mounted to csi pods
|
|
volumes:
|
|
- configMap
|
|
- projected
|
|
- emptyDir
|
|
- hostPath
|
|
users:
|
|
# A user needs to be added for each service account.
|
|
- "system:serviceaccount:{{ .Namespace }}:{{ .Prefix }}csi-rbd-plugin-sa"
|
|
- "system:serviceaccount:{{ .Namespace }}:{{ .Prefix }}csi-rbd-provisioner-sa"
|
|
- "system:serviceaccount:{{ .Namespace }}:{{ .Prefix }}csi-cephfs-plugin-sa"
|
|
# yamllint disable-line rule:line-length
|
|
- "system:serviceaccount:{{ .Namespace }}:{{ .Prefix }}csi-cephfs-provisioner-sa"
|