mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-09-19 15:09:56 +00:00
1818529a4c
This should address the following failure when Pod Security Policies are enabled: > FailedCreate: Error creating: pods "csi-nfs-node-" is forbidden: > PodSecurityPolicy: unable to admit pod: spec.containers[2].hostPort: > Invalid value: 29653: Host port 29653 is not allowed to be used. Signed-off-by: Niels de Vos <ndevos@redhat.com>
78 lines
1.7 KiB
YAML
78 lines
1.7 KiB
YAML
---
|
|
apiVersion: policy/v1beta1
|
|
kind: PodSecurityPolicy
|
|
metadata:
|
|
name: nfs-csi-nodeplugin-psp
|
|
spec:
|
|
allowPrivilegeEscalation: true
|
|
allowedCapabilities:
|
|
- 'SYS_ADMIN'
|
|
fsGroup:
|
|
rule: RunAsAny
|
|
privileged: true
|
|
hostNetwork: true
|
|
hostPID: true
|
|
runAsUser:
|
|
rule: RunAsAny
|
|
seLinux:
|
|
rule: RunAsAny
|
|
supplementalGroups:
|
|
rule: RunAsAny
|
|
volumes:
|
|
- 'configMap'
|
|
- 'emptyDir'
|
|
- 'projected'
|
|
- 'secret'
|
|
- 'hostPath'
|
|
allowedHostPaths:
|
|
- pathPrefix: '/dev'
|
|
readOnly: false
|
|
- pathPrefix: '/run/mount'
|
|
readOnly: false
|
|
- pathPrefix: '/sys'
|
|
readOnly: false
|
|
- pathPrefix: '/etc/selinux'
|
|
readOnly: true
|
|
- pathPrefix: '/lib/modules'
|
|
readOnly: true
|
|
- pathPrefix: '/var/lib/kubelet/pods'
|
|
readOnly: false
|
|
- pathPrefix: '/var/lib/kubelet/plugins/nfs.csi.ceph.com'
|
|
readOnly: false
|
|
- pathPrefix: '/var/lib/kubelet/plugins_registry'
|
|
readOnly: false
|
|
- pathPrefix: '/var/lib/kubelet/plugins'
|
|
readOnly: false
|
|
hostPorts:
|
|
- min: 29653
|
|
max: 29653
|
|
---
|
|
kind: Role
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: nfs-csi-nodeplugin-psp
|
|
# replace with non-default namespace name
|
|
namespace: default
|
|
rules:
|
|
- apiGroups: ['policy']
|
|
resources: ['podsecuritypolicies']
|
|
verbs: ['use']
|
|
resourceNames: ['nfs-csi-nodeplugin-psp']
|
|
|
|
---
|
|
kind: RoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: nfs-csi-nodeplugin-psp
|
|
# replace with non-default namespace name
|
|
namespace: default
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: nfs-csi-nodeplugin
|
|
# replace with non-default namespace name
|
|
namespace: default
|
|
roleRef:
|
|
kind: Role
|
|
name: nfs-csi-nodeplugin-psp
|
|
apiGroup: rbac.authorization.k8s.io
|