mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-12-03 19:50:19 +00:00
e0cc7740f6
On systems with SELinux enabled, non-privileged containers can't access data of privileged containers. Since the socket is exposed by privileged containers, all sidecars must be privileged too. This is needed only for containers running in daemonset as we are using bidirectional mounts in daemonset Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
176 lines
5.2 KiB
YAML
176 lines
5.2 KiB
YAML
---
|
|
kind: DaemonSet
|
|
apiVersion: apps/v1
|
|
metadata:
|
|
name: csi-rbdplugin
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
app: csi-rbdplugin
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: csi-rbdplugin
|
|
spec:
|
|
serviceAccount: rbd-csi-nodeplugin
|
|
hostNetwork: true
|
|
hostPID: true
|
|
# to use e.g. Rook orchestrated cluster, and mons' FQDN is
|
|
# resolved through k8s service, set dns policy to cluster first
|
|
dnsPolicy: ClusterFirstWithHostNet
|
|
containers:
|
|
- name: driver-registrar
|
|
# This is necessary only for systems with SELinux, where
|
|
# non-privileged sidecar containers cannot access unix domain socket
|
|
# created by privileged CSI driver container.
|
|
securityContext:
|
|
privileged: true
|
|
image: quay.io/k8scsi/csi-node-driver-registrar:v1.2.0
|
|
args:
|
|
- "--v=5"
|
|
- "--csi-address=/csi/csi.sock"
|
|
- "--kubelet-registration-path=/var/lib/kubelet/plugins/rbd.csi.ceph.com/csi.sock"
|
|
lifecycle:
|
|
preStop:
|
|
exec:
|
|
command: [
|
|
"/bin/sh", "-c",
|
|
"rm -rf /registration/rbd.csi.ceph.com \
|
|
/registration/rbd.csi.ceph.com-reg.sock"
|
|
]
|
|
env:
|
|
- name: KUBE_NODE_NAME
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: spec.nodeName
|
|
volumeMounts:
|
|
- name: socket-dir
|
|
mountPath: /csi
|
|
- name: registration-dir
|
|
mountPath: /registration
|
|
- name: csi-rbdplugin
|
|
securityContext:
|
|
privileged: true
|
|
capabilities:
|
|
add: ["SYS_ADMIN"]
|
|
allowPrivilegeEscalation: true
|
|
# for stable functionality replace canary with latest release version
|
|
image: quay.io/cephcsi/cephcsi:canary
|
|
args:
|
|
- "--nodeid=$(NODE_ID)"
|
|
- "--type=rbd"
|
|
- "--nodeserver=true"
|
|
- "--endpoint=$(CSI_ENDPOINT)"
|
|
- "--v=5"
|
|
- "--drivername=rbd.csi.ceph.com"
|
|
- "--metricsport=8090"
|
|
- "--metricspath=/metrics"
|
|
- "--enablegrpcmetrics=false"
|
|
env:
|
|
- name: POD_IP
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: status.podIP
|
|
- name: NODE_ID
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: spec.nodeName
|
|
- name: CSI_ENDPOINT
|
|
value: unix:///csi/csi.sock
|
|
imagePullPolicy: "IfNotPresent"
|
|
volumeMounts:
|
|
- name: socket-dir
|
|
mountPath: /csi
|
|
- mountPath: /dev
|
|
name: host-dev
|
|
- mountPath: /sys
|
|
name: host-sys
|
|
- mountPath: /lib/modules
|
|
name: lib-modules
|
|
readOnly: true
|
|
- name: ceph-csi-config
|
|
mountPath: /etc/ceph-csi-config/
|
|
- name: plugin-dir
|
|
mountPath: /var/lib/kubelet/plugins
|
|
mountPropagation: "Bidirectional"
|
|
- name: mountpoint-dir
|
|
mountPath: /var/lib/kubelet/pods
|
|
mountPropagation: "Bidirectional"
|
|
- name: keys-tmp-dir
|
|
mountPath: /tmp/csi/keys
|
|
- name: liveness-prometheus
|
|
securityContext:
|
|
privileged: true
|
|
image: quay.io/cephcsi/cephcsi:canary
|
|
args:
|
|
- "--type=liveness"
|
|
- "--endpoint=$(CSI_ENDPOINT)"
|
|
- "--metricsport=8680"
|
|
- "--metricspath=/metrics"
|
|
- "--polltime=60s"
|
|
- "--timeout=3s"
|
|
env:
|
|
- name: CSI_ENDPOINT
|
|
value: unix:///csi/csi.sock
|
|
- name: POD_IP
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: status.podIP
|
|
volumeMounts:
|
|
- name: socket-dir
|
|
mountPath: /csi
|
|
imagePullPolicy: "IfNotPresent"
|
|
volumes:
|
|
- name: socket-dir
|
|
hostPath:
|
|
path: /var/lib/kubelet/plugins/rbd.csi.ceph.com
|
|
type: DirectoryOrCreate
|
|
- name: plugin-dir
|
|
hostPath:
|
|
path: /var/lib/kubelet/plugins
|
|
type: Directory
|
|
- name: mountpoint-dir
|
|
hostPath:
|
|
path: /var/lib/kubelet/pods
|
|
type: DirectoryOrCreate
|
|
- name: registration-dir
|
|
hostPath:
|
|
path: /var/lib/kubelet/plugins_registry/
|
|
type: Directory
|
|
- name: host-dev
|
|
hostPath:
|
|
path: /dev
|
|
- name: host-sys
|
|
hostPath:
|
|
path: /sys
|
|
- name: lib-modules
|
|
hostPath:
|
|
path: /lib/modules
|
|
- name: ceph-csi-config
|
|
configMap:
|
|
name: ceph-csi-config
|
|
- name: keys-tmp-dir
|
|
emptyDir: {
|
|
medium: "Memory"
|
|
}
|
|
---
|
|
# This is a service to expose the liveness and grpc metrics
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: csi-metrics-rbdplugin
|
|
labels:
|
|
app: csi-metrics
|
|
spec:
|
|
ports:
|
|
- name: http-metrics
|
|
port: 8080
|
|
protocol: TCP
|
|
targetPort: 8680
|
|
- name: grpc-metrics
|
|
port: 8090
|
|
protocol: TCP
|
|
targetPort: 8090
|
|
selector:
|
|
app: csi-rbdplugin
|