ceph-csi/deploy/nfs/kubernetes/csi-nodeplugin-psp.yaml
Niels de Vos 1818529a4c deploy: allow hostPort 29653 for NFS node-plugin
This should address the following failure when Pod Security Policies are
enabled:

> FailedCreate: Error creating: pods "csi-nfs-node-" is forbidden:
> PodSecurityPolicy: unable to admit pod: spec.containers[2].hostPort:
> Invalid value: 29653: Host port 29653 is not allowed to be used.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2022-05-10 00:43:43 +00:00

78 lines
1.7 KiB
YAML

---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: nfs-csi-nodeplugin-psp
spec:
allowPrivilegeEscalation: true
allowedCapabilities:
- 'SYS_ADMIN'
fsGroup:
rule: RunAsAny
privileged: true
hostNetwork: true
hostPID: true
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'hostPath'
allowedHostPaths:
- pathPrefix: '/dev'
readOnly: false
- pathPrefix: '/run/mount'
readOnly: false
- pathPrefix: '/sys'
readOnly: false
- pathPrefix: '/etc/selinux'
readOnly: true
- pathPrefix: '/lib/modules'
readOnly: true
- pathPrefix: '/var/lib/kubelet/pods'
readOnly: false
- pathPrefix: '/var/lib/kubelet/plugins/nfs.csi.ceph.com'
readOnly: false
- pathPrefix: '/var/lib/kubelet/plugins_registry'
readOnly: false
- pathPrefix: '/var/lib/kubelet/plugins'
readOnly: false
hostPorts:
- min: 29653
max: 29653
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: nfs-csi-nodeplugin-psp
# replace with non-default namespace name
namespace: default
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames: ['nfs-csi-nodeplugin-psp']
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: nfs-csi-nodeplugin-psp
# replace with non-default namespace name
namespace: default
subjects:
- kind: ServiceAccount
name: nfs-csi-nodeplugin
# replace with non-default namespace name
namespace: default
roleRef:
kind: Role
name: nfs-csi-nodeplugin-psp
apiGroup: rbac.authorization.k8s.io