+# ============LICENSE_START=======================================================
+# Copyright (C) 2021 The Nordix Foundation. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
###################################################################################################################
# Create the common resources that are necessary to start the operator and the ceph cluster.
# These resources *must* be created before the operator.yaml and cluster.yaml or their variants.
apiVersion: v1
kind: Namespace
metadata:
- name: "{{ rook_namespace }}"
-# OLM: BEGIN CEPH CRD
-# The CRD declarations
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
- name: cephclusters.ceph.rook.io
-spec:
- group: ceph.rook.io
- names:
- kind: CephCluster
- listKind: CephClusterList
- plural: cephclusters
- singular: cephcluster
- scope: Namespaced
- version: v1
- validation:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- annotations: {}
- cephVersion:
- properties:
- allowUnsupported:
- type: boolean
- image:
- type: string
- dashboard:
- properties:
- enabled:
- type: boolean
- urlPrefix:
- type: string
- port:
- type: integer
- minimum: 0
- maximum: 65535
- ssl:
- type: boolean
- dataDirHostPath:
- pattern: ^/(\S+)
- type: string
- skipUpgradeChecks:
- type: boolean
- mon:
- properties:
- allowMultiplePerNode:
- type: boolean
- count:
- maximum: 9
- minimum: 0
- type: integer
- mgr:
- properties:
- modules:
- items:
- properties:
- name:
- type: string
- enabled:
- type: boolean
- network:
- properties:
- hostNetwork:
- type: boolean
- storage:
- properties:
- disruptionManagement:
- properties:
- managePodBudgets:
- type: boolean
- osdMaintenanceTimeout:
- type: integer
- manageMachineDisruptionBudgets:
- type: boolean
- useAllNodes:
- type: boolean
- nodes:
- items:
- properties:
- name:
- type: string
- config:
- properties:
- metadataDevice:
- type: string
- storeType:
- type: string
- pattern: ^(filestore|bluestore)$
- databaseSizeMB:
- type: string
- walSizeMB:
- type: string
- journalSizeMB:
- type: string
- osdsPerDevice:
- type: string
- encryptedDevice:
- type: string
- pattern: ^(true|false)$
- useAllDevices:
- type: boolean
- deviceFilter: {}
- directories:
- type: array
- items:
- properties:
- path:
- type: string
- devices:
- type: array
- items:
- properties:
- name:
- type: string
- config: {}
- location: {}
- resources: {}
- type: array
- useAllDevices:
- type: boolean
- deviceFilter: {}
- location: {}
- directories:
- type: array
- items:
- properties:
- path:
- type: string
- config: {}
- topologyAware:
- type: boolean
- monitoring:
- properties:
- enabled:
- type: boolean
- rulesNamespace:
- type: string
- rbdMirroring:
- properties:
- workers:
- type: integer
- placement: {}
- resources: {}
- additionalPrinterColumns:
- - name: DataDirHostPath
- type: string
- description: Directory used on the K8s nodes
- JSONPath: .spec.dataDirHostPath
- - name: MonCount
- type: string
- description: Number of MONs
- JSONPath: .spec.mon.count
- - name: Age
- type: date
- JSONPath: .metadata.creationTimestamp
- - name: State
- type: string
- description: Current State
- JSONPath: .status.state
- - name: Health
- type: string
- description: Ceph Health
- JSONPath: .status.ceph.health
-# OLM: END CEPH CRD
-# OLM: BEGIN CEPH FS CRD
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
- name: cephfilesystems.ceph.rook.io
-spec:
- group: ceph.rook.io
- names:
- kind: CephFilesystem
- listKind: CephFilesystemList
- plural: cephfilesystems
- singular: cephfilesystem
- scope: Namespaced
- version: v1
- validation:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- metadataServer:
- properties:
- activeCount:
- minimum: 1
- maximum: 10
- type: integer
- activeStandby:
- type: boolean
- annotations: {}
- placement: {}
- resources: {}
- metadataPool:
- properties:
- failureDomain:
- type: string
- replicated:
- properties:
- size:
- minimum: 1
- maximum: 10
- type: integer
- erasureCoded:
- properties:
- dataChunks:
- type: integer
- codingChunks:
- type: integer
- dataPools:
- type: array
- items:
- properties:
- failureDomain:
- type: string
- replicated:
- properties:
- size:
- minimum: 1
- maximum: 10
- type: integer
- erasureCoded:
- properties:
- dataChunks:
- type: integer
- codingChunks:
- type: integer
- additionalPrinterColumns:
- - name: ActiveMDS
- type: string
- description: Number of desired active MDS daemons
- JSONPath: .spec.metadataServer.activeCount
- - name: Age
- type: date
- JSONPath: .metadata.creationTimestamp
-# OLM: END CEPH FS CRD
-# OLM: BEGIN CEPH NFS CRD
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
- name: cephnfses.ceph.rook.io
-spec:
- group: ceph.rook.io
- names:
- kind: CephNFS
- listKind: CephNFSList
- plural: cephnfses
- singular: cephnfs
- shortNames:
- - nfs
- scope: Namespaced
- version: v1
- validation:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- rados:
- properties:
- pool:
- type: string
- namespace:
- type: string
- server:
- properties:
- active:
- type: integer
- annotations: {}
- placement: {}
- resources: {}
-
-# OLM: END CEPH NFS CRD
-# OLM: BEGIN CEPH OBJECT STORE CRD
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
- name: cephobjectstores.ceph.rook.io
-spec:
- group: ceph.rook.io
- names:
- kind: CephObjectStore
- listKind: CephObjectStoreList
- plural: cephobjectstores
- singular: cephobjectstore
- scope: Namespaced
- version: v1
- validation:
- openAPIV3Schema:
- properties:
- spec:
- properties:
- gateway:
- properties:
- type:
- type: string
- sslCertificateRef: {}
- port:
- type: integer
- securePort: {}
- instances:
- type: integer
- annotations: {}
- placement: {}
- resources: {}
- metadataPool:
- properties:
- failureDomain:
- type: string
- replicated:
- properties:
- size:
- type: integer
- erasureCoded:
- properties:
- dataChunks:
- type: integer
- codingChunks:
- type: integer
- dataPool:
- properties:
- failureDomain:
- type: string
- replicated:
- properties:
- size:
- type: integer
- erasureCoded:
- properties:
- dataChunks:
- type: integer
- codingChunks:
- type: integer
-# OLM: END CEPH OBJECT STORE CRD
-# OLM: BEGIN CEPH OBJECT STORE USERS CRD
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
- name: cephobjectstoreusers.ceph.rook.io
-spec:
- group: ceph.rook.io
- names:
- kind: CephObjectStoreUser
- listKind: CephObjectStoreUserList
- plural: cephobjectstoreusers
- singular: cephobjectstoreuser
- scope: Namespaced
- version: v1
-# OLM: END CEPH OBJECT STORE USERS CRD
-# OLM: BEGIN CEPH BLOCK POOL CRD
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
- name: cephblockpools.ceph.rook.io
-spec:
- group: ceph.rook.io
- names:
- kind: CephBlockPool
- listKind: CephBlockPoolList
- plural: cephblockpools
- singular: cephblockpool
- scope: Namespaced
- version: v1
-# OLM: END CEPH BLOCK POOL CRD
-# OLM: BEGIN CEPH VOLUME POOL CRD
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
- name: volumes.rook.io
-spec:
- group: rook.io
- names:
- kind: Volume
- listKind: VolumeList
- plural: volumes
- singular: volume
- shortNames:
- - rv
- scope: Namespaced
- version: v1alpha2
-# OLM: END CEPH VOLUME POOL CRD
-# OLM: BEGIN OBJECTBUCKET CRD
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
- name: objectbuckets.objectbucket.io
-spec:
- group: objectbucket.io
- versions:
- - name: v1alpha1
- served: true
- storage: true
- names:
- kind: ObjectBucket
- listKind: ObjectBucketList
- plural: objectbuckets
- singular: objectbucket
- shortNames:
- - ob
- - obs
- scope: Cluster
- subresources:
- status: {}
-# OLM: END OBJECTBUCKET CRD
-# OLM: BEGIN OBJECTBUCKETCLAIM CRD
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
- name: objectbucketclaims.objectbucket.io
-spec:
- versions:
- - name: v1alpha1
- served: true
- storage: true
- group: objectbucket.io
- names:
- kind: ObjectBucketClaim
- listKind: ObjectBucketClaimList
- plural: objectbucketclaims
- singular: objectbucketclaim
- shortNames:
- - obc
- - obcs
- scope: Namespaced
- subresources:
- status: {}
-# OLM: END OBJECTBUCKETCLAIM CRD
+ name: "{{ rook_namespace }}" # namespace:cluster
# OLM: BEGIN OBJECTBUCKET ROLEBINDING
---
kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rook-ceph-object-bucket
roleRef:
subjects:
- kind: ServiceAccount
name: rook-ceph-system
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:operator
# OLM: END OBJECTBUCKET ROLEBINDING
# OLM: BEGIN OPERATOR ROLE
---
-# The cluster role for managing all the cluster-specific resources in a namespace
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: rook-ceph-admission-controller
+ namespace: "{{ rook_namespace }}" # namespace:operator
+---
kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
metadata:
- name: rook-ceph-cluster-mgmt
- labels:
- operator: rook
- storage-backend: ceph
-aggregationRule:
- clusterRoleSelectors:
- - matchLabels:
- rbac.ceph.rook.io/aggregate-to-rook-ceph-cluster-mgmt: "true"
-rules: []
+ name: rook-ceph-admission-controller-role
+rules:
+ - apiGroups: ["ceph.rook.io"]
+ resources: ["*"]
+ verbs: ["get", "watch", "list"]
---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: rook-ceph-admission-controller-rolebinding
+subjects:
+ - kind: ServiceAccount
+ name: rook-ceph-admission-controller
+ apiGroup: ""
+ namespace: "{{ rook_namespace }}" # namespace:operator
+roleRef:
+ kind: ClusterRole
+ name: rook-ceph-admission-controller-role
+ apiGroup: rbac.authorization.k8s.io
+---
+# The cluster role for managing all the cluster-specific resources in a namespace
+apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
- name: rook-ceph-cluster-mgmt-rules
+ name: rook-ceph-cluster-mgmt
labels:
operator: rook
storage-backend: ceph
- rbac.ceph.rook.io/aggregate-to-rook-ceph-cluster-mgmt: "true"
rules:
- apiGroups:
- ""
+ - apps
+ - extensions
resources:
- secrets
- pods
- pods/log
- services
- configmaps
- verbs:
- - get
- - list
- - watch
- - patch
- - create
- - update
- - delete
-- apiGroups:
- - apps
- resources:
- deployments
- daemonsets
verbs:
- get
- list
- watch
+ - patch
- create
- update
- delete
---
# The role for the operator to manage resources in its own namespace
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: rook-ceph-system
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:operator
labels:
operator: rook
storage-backend: ceph
- delete
- apiGroups:
- apps
+ - extensions
resources:
- daemonsets
- statefulsets
- delete
---
# The cluster role for managing the Rook CRDs
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: rook-ceph-global
labels:
operator: rook
storage-backend: ceph
-aggregationRule:
- clusterRoleSelectors:
- - matchLabels:
- rbac.ceph.rook.io/aggregate-to-rook-ceph-global: "true"
-rules: []
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRole
-metadata:
- name: rook-ceph-global-rules
- labels:
- operator: rook
- storage-backend: ceph
- rbac.ceph.rook.io/aggregate-to-rook-ceph-global: "true"
rules:
- apiGroups:
- ""
# Node access is needed for determining nodes where mons should run
- nodes
- nodes/proxy
+ - services
verbs:
- get
- list
- apiGroups:
- policy
- apps
+ - extensions
resources:
- #this is for the clusterdisruption controller
+ # This is for the clusterdisruption controller
- poddisruptionbudgets
- #this is for both clusterdisruption and nodedrain controllers
+ # This is for both clusterdisruption and nodedrain controllers
- deployments
+ - replicasets
verbs:
- "*"
- apiGroups:
- create
- update
- delete
+- apiGroups:
+ - storage.k8s.io
+ resources:
+ - csidrivers
+ verbs:
+ - create
+ - delete
+ - get
+ - update
+- apiGroups:
+ - k8s.cni.cncf.io
+ resources:
+ - network-attachment-definitions
+ verbs:
+ - get
---
# Aspects of ceph-mgr that require cluster-wide access
kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rook-ceph-mgr-cluster
labels:
operator: rook
storage-backend: ceph
-aggregationRule:
- clusterRoleSelectors:
- - matchLabels:
- rbac.ceph.rook.io/aggregate-to-rook-ceph-mgr-cluster: "true"
-rules: []
----
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1beta1
-metadata:
- name: rook-ceph-mgr-cluster-rules
- labels:
- operator: rook
- storage-backend: ceph
- rbac.ceph.rook.io/aggregate-to-rook-ceph-mgr-cluster: "true"
rules:
- apiGroups:
- ""
- watch
---
kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rook-ceph-object-bucket
labels:
operator: rook
storage-backend: ceph
- rbac.ceph.rook.io/aggregate-to-rook-ceph-mgr-cluster: "true"
rules:
- apiGroups:
- ""
kind: ServiceAccount
metadata:
name: rook-ceph-system
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:operator
labels:
operator: rook
storage-backend: ceph
---
# Grant the operator, agent, and discovery agents access to resources in the namespace
kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rook-ceph-system
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:operator
labels:
operator: rook
storage-backend: ceph
subjects:
- kind: ServiceAccount
name: rook-ceph-system
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:operator
---
# Grant the rook system daemons cluster-wide access to manage the Rook CRDs, PVCs, and storage classes
kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rook-ceph-global
- namespace: "{{ rook_namespace }}"
labels:
operator: rook
storage-backend: ceph
subjects:
- kind: ServiceAccount
name: rook-ceph-system
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:operator
# OLM: END OPERATOR ROLEBINDING
#################################################################################################################
# Beginning of cluster-specific resources. The example will assume the cluster will be created in the "rook-ceph"
kind: ServiceAccount
metadata:
name: rook-ceph-osd
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:cluster
# imagePullSecrets:
# - name: my-registry-secret
kind: ServiceAccount
metadata:
name: rook-ceph-mgr
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:cluster
# imagePullSecrets:
# - name: my-registry-secret
kind: ServiceAccount
metadata:
name: rook-ceph-cmd-reporter
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:cluster
# OLM: END CMD REPORTER SERVICE ACCOUNT
# OLM: BEGIN CLUSTER ROLE
---
kind: Role
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rook-ceph-osd
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:cluster
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: [ "get", "list", "create", "update", "delete" ]
---
kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rook-ceph-osd
- namespace: "{{ rook_namespace }}"
rules:
- apiGroups:
- ""
---
# Aspects of ceph-mgr that require access to the system namespace
kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rook-ceph-mgr-system
- namespace: "{{ rook_namespace }}"
-aggregationRule:
- clusterRoleSelectors:
- - matchLabels:
- rbac.ceph.rook.io/aggregate-to-rook-ceph-mgr-system: "true"
-rules: []
----
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1beta1
-metadata:
- name: rook-ceph-mgr-system-rules
- namespace: "{{ rook_namespace }}"
- labels:
- rbac.ceph.rook.io/aggregate-to-rook-ceph-mgr-system: "true"
rules:
- apiGroups:
- ""
---
# Aspects of ceph-mgr that operate within the cluster's namespace
kind: Role
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rook-ceph-mgr
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:cluster
rules:
- apiGroups:
- ""
resources:
- pods
- services
+ - pods/log
verbs:
- get
- list
- watch
+ - delete
- apiGroups:
- batch
resources:
# OLM: BEGIN CMD REPORTER ROLE
---
kind: Role
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rook-ceph-cmd-reporter
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:cluster
rules:
- apiGroups:
- ""
---
# Allow the operator to create resources in this cluster's namespace
kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rook-ceph-cluster-mgmt
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:cluster
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
subjects:
- kind: ServiceAccount
name: rook-ceph-system
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:operator
---
# Allow the osd pods in this namespace to work with configmaps
kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rook-ceph-osd
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:cluster
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
subjects:
- kind: ServiceAccount
name: rook-ceph-osd
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:cluster
---
# Allow the ceph mgr to access the cluster-specific resources necessary for the mgr modules
kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rook-ceph-mgr
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:cluster
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
subjects:
- kind: ServiceAccount
name: rook-ceph-mgr
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:cluster
---
# Allow the ceph mgr to access the rook system resources necessary for the mgr modules
kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rook-ceph-mgr-system
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:operator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
subjects:
- kind: ServiceAccount
name: rook-ceph-mgr
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:cluster
---
# Allow the ceph mgr to access cluster-wide resources necessary for the mgr modules
kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rook-ceph-mgr-cluster
roleRef:
subjects:
- kind: ServiceAccount
name: rook-ceph-mgr
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:cluster
---
# Allow the ceph osd to access cluster-wide resources necessary for determining their topology location
kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rook-ceph-osd
roleRef:
subjects:
- kind: ServiceAccount
name: rook-ceph-osd
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:cluster
# OLM: END CLUSTER ROLEBINDING
# OLM: BEGIN CMD REPORTER ROLEBINDING
---
kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rook-ceph-cmd-reporter
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:cluster
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
subjects:
- kind: ServiceAccount
name: rook-ceph-cmd-reporter
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:cluster
# OLM: END CMD REPORTER ROLEBINDING
#################################################################################################################
# Beginning of pod security policy resources. The example will assume the cluster will be created in the
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
- name: rook-privileged
+ # Note: Kubernetes matches PSPs to deployments alphabetically. In some environments, this PSP may
+ # need to be renamed with a value that will match before others.
+ name: 00-rook-privileged
+ annotations:
+ seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
+ seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
spec:
privileged: true
allowedCapabilities:
- hostPath
- flexVolume
# allowedHostPaths can be set to Rook's known host volume mount points when they are fully-known
- # directory-based OSDs make this hard to nail down
# allowedHostPaths:
# - pathPrefix: "/run/udev" # for OSD prep
# readOnly: false
resources:
- podsecuritypolicies
resourceNames:
- - rook-privileged
+ - 00-rook-privileged
verbs:
- use
---
subjects:
- kind: ServiceAccount
name: rook-ceph-system
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:operator
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: rook-ceph-default-psp
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:cluster
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
subjects:
- kind: ServiceAccount
name: default
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:cluster
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: rook-ceph-osd-psp
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:cluster
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
subjects:
- kind: ServiceAccount
name: rook-ceph-osd
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:cluster
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: rook-ceph-mgr-psp
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:cluster
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
subjects:
- kind: ServiceAccount
name: rook-ceph-mgr
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:cluster
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: rook-ceph-cmd-reporter-psp
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:cluster
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
subjects:
- kind: ServiceAccount
name: rook-ceph-cmd-reporter
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:cluster
# OLM: END CLUSTER POD SECURITY POLICY BINDINGS
# OLM: BEGIN CSI CEPHFS SERVICE ACCOUNT
---
kind: ServiceAccount
metadata:
name: rook-csi-cephfs-plugin-sa
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:operator
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: rook-csi-cephfs-provisioner-sa
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:operator
# OLM: END CSI CEPHFS SERVICE ACCOUNT
# OLM: BEGIN CSI CEPHFS ROLE
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
- namespace: "{{ rook_namespace }}"
name: cephfs-external-provisioner-cfg
+ namespace: "{{ rook_namespace }}" # namespace:operator
rules:
- apiGroups: [""]
resources: ["endpoints"]
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cephfs-csi-provisioner-role-cfg
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:operator
subjects:
- kind: ServiceAccount
name: rook-csi-cephfs-provisioner-sa
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:operator
roleRef:
kind: Role
name: cephfs-external-provisioner-cfg
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cephfs-csi-nodeplugin
-aggregationRule:
- clusterRoleSelectors:
- - matchLabels:
- rbac.ceph.rook.io/aggregate-to-cephfs-csi-nodeplugin: "true"
-rules: []
----
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: cephfs-csi-nodeplugin-rules
- labels:
- rbac.ceph.rook.io/aggregate-to-cephfs-csi-nodeplugin: "true"
rules:
- apiGroups: [""]
resources: ["nodes"]
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cephfs-external-provisioner-runner
-aggregationRule:
- clusterRoleSelectors:
- - matchLabels:
- rbac.ceph.rook.io/aggregate-to-cephfs-external-provisioner-runner: "true"
-rules: []
----
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: cephfs-external-provisioner-runner-rules
- labels:
- rbac.ceph.rook.io/aggregate-to-cephfs-external-provisioner-runner: "true"
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "create", "delete", "update"]
+ verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: [""]
resources: ["events"]
verbs: ["list", "watch", "create", "update", "patch"]
+ - apiGroups: ["snapshot.storage.k8s.io"]
+ resources: ["volumesnapshots"]
+ verbs: ["get", "list", "watch", "update"]
+ - apiGroups: ["snapshot.storage.k8s.io"]
+ resources: ["volumesnapshotcontents"]
+ verbs: ["create", "get", "list", "watch", "update", "delete"]
+ - apiGroups: ["snapshot.storage.k8s.io"]
+ resources: ["volumesnapshotclasses"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["snapshot.storage.k8s.io"]
+ resources: ["volumesnapshotcontents/status"]
+ verbs: ["update"]
+ - apiGroups: ["apiextensions.k8s.io"]
+ resources: ["customresourcedefinitions"]
+ verbs: ["create", "list", "watch", "delete", "get", "update"]
+ - apiGroups: ["snapshot.storage.k8s.io"]
+ resources: ["volumesnapshots/status"]
+ verbs: ["update"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list", "watch", "update", "patch"]
+ - apiGroups: ["storage.k8s.io"]
+ resources: ["volumeattachments/status"]
+ verbs: ["patch"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
+ resources: ["persistentvolumeclaims/status"]
+ verbs: ["update", "patch"]
# OLM: END CSI CEPHFS CLUSTER ROLE
# OLM: BEGIN CSI CEPHFS CLUSTER ROLEBINDING
---
subjects:
- kind: ServiceAccount
name: rook-csi-cephfs-plugin-sa
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:operator
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
subjects:
- kind: ServiceAccount
name: rook-csi-cephfs-provisioner-sa
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:operator
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
subjects:
- kind: ServiceAccount
name: rook-csi-cephfs-plugin-sa
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:operator
roleRef:
kind: ClusterRole
name: cephfs-csi-nodeplugin
subjects:
- kind: ServiceAccount
name: rook-csi-cephfs-provisioner-sa
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:operator
roleRef:
kind: ClusterRole
name: cephfs-external-provisioner-runner
kind: ServiceAccount
metadata:
name: rook-csi-rbd-plugin-sa
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:operator
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: rook-csi-rbd-provisioner-sa
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:operator
# OLM: END CSI RBD SERVICE ACCOUNT
# OLM: BEGIN CSI RBD ROLE
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
- namespace: "{{ rook_namespace }}"
name: rbd-external-provisioner-cfg
+ namespace: "{{ rook_namespace }}" # namespace:operator
rules:
- apiGroups: [""]
resources: ["endpoints"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
- apiGroups: [""]
resources: ["configmaps"]
- verbs: ["get", "list", "watch", "create", "delete"]
+ verbs: ["get", "list", "watch", "create", "delete", "update"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rbd-csi-provisioner-role-cfg
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:operator
subjects:
- kind: ServiceAccount
name: rook-csi-rbd-provisioner-sa
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:operator
roleRef:
kind: Role
name: rbd-external-provisioner-cfg
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rbd-csi-nodeplugin
-aggregationRule:
- clusterRoleSelectors:
- - matchLabels:
- rbac.ceph.rook.io/aggregate-to-rbd-csi-nodeplugin: "true"
-rules: []
----
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: rbd-csi-nodeplugin-rules
- labels:
- rbac.ceph.rook.io/aggregate-to-rbd-csi-nodeplugin: "true"
rules:
- apiGroups: [""]
resources: ["secrets"]
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rbd-external-provisioner-runner
-aggregationRule:
- clusterRoleSelectors:
- - matchLabels:
- rbac.ceph.rook.io/aggregate-to-rbd-external-provisioner-runner: "true"
-rules: []
----
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: rbd-external-provisioner-runner-rules
- labels:
- rbac.ceph.rook.io/aggregate-to-rbd-external-provisioner-runner: "true"
rules:
- apiGroups: [""]
resources: ["secrets"]
- verbs: ["get", "list"]
+ verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "create", "delete", "update"]
+ verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list", "watch", "update", "patch"]
+ - apiGroups: ["storage.k8s.io"]
+ resources: ["volumeattachments/status"]
+ verbs: ["patch"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
+ - apiGroups: ["snapshot.storage.k8s.io"]
+ resources: ["volumesnapshotcontents/status"]
+ verbs: ["update"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["create", "list", "watch", "delete", "get", "update"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots/status"]
verbs: ["update"]
+ - apiGroups: [""]
+ resources: ["persistentvolumeclaims/status"]
+ verbs: ["update", "patch"]
+ - apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: [ "get"]
# OLM: END CSI RBD CLUSTER ROLE
# OLM: BEGIN CSI RBD CLUSTER ROLEBINDING
---
subjects:
- kind: ServiceAccount
name: rook-csi-rbd-plugin-sa
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:operator
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
subjects:
- kind: ServiceAccount
name: rook-csi-rbd-provisioner-sa
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:operator
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
subjects:
- kind: ServiceAccount
name: rook-csi-rbd-plugin-sa
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:operator
roleRef:
kind: ClusterRole
name: rbd-csi-nodeplugin
subjects:
- kind: ServiceAccount
name: rook-csi-rbd-provisioner-sa
- namespace: "{{ rook_namespace }}"
+ namespace: "{{ rook_namespace }}" # namespace:operator
roleRef:
kind: ClusterRole
name: rbd-external-provisioner-runner