X-Git-Url: https://gerrit.nordix.org/gitweb?p=infra%2Fstack%2Fkubernetes.git;a=blobdiff_plain;f=apps%2Fceph%2Fkubespray%2Fplaybooks%2Froles%2Finstall%2Ftemplates%2Fcommon.yaml.j2;fp=apps%2Fceph%2Fkubespray%2Fplaybooks%2Froles%2Finstall%2Ftemplates%2Fcommon.yaml.j2;h=7809e9b237e87ba072f98e43955e5b00835e195c;hp=d8b74128a0ffa15344ddbb0887983fa43346ee75;hb=346533a32cb7cf00414d723f2cdb89785f1a2e2d;hpb=3f7a6e04758ac28aa51bd66b67f600534f646ff0 diff --git a/apps/ceph/kubespray/playbooks/roles/install/templates/common.yaml.j2 b/apps/ceph/kubespray/playbooks/roles/install/templates/common.yaml.j2 index d8b7412..7809e9b 100644 --- a/apps/ceph/kubespray/playbooks/roles/install/templates/common.yaml.j2 +++ b/apps/ceph/kubespray/playbooks/roles/install/templates/common.yaml.j2 @@ -1,3 +1,21 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2021 The Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + ################################################################################################################### # Create the common resources that are necessary to start the operator and the ceph cluster. # These resources *must* be created before the operator.yaml and cluster.yaml or their variants. @@ -14,448 +32,11 @@ apiVersion: v1 kind: Namespace metadata: - name: "{{ rook_namespace }}" -# OLM: BEGIN CEPH CRD -# The CRD declarations ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: cephclusters.ceph.rook.io -spec: - group: ceph.rook.io - names: - kind: CephCluster - listKind: CephClusterList - plural: cephclusters - singular: cephcluster - scope: Namespaced - version: v1 - validation: - openAPIV3Schema: - properties: - spec: - properties: - annotations: {} - cephVersion: - properties: - allowUnsupported: - type: boolean - image: - type: string - dashboard: - properties: - enabled: - type: boolean - urlPrefix: - type: string - port: - type: integer - minimum: 0 - maximum: 65535 - ssl: - type: boolean - dataDirHostPath: - pattern: ^/(\S+) - type: string - skipUpgradeChecks: - type: boolean - mon: - properties: - allowMultiplePerNode: - type: boolean - count: - maximum: 9 - minimum: 0 - type: integer - mgr: - properties: - modules: - items: - properties: - name: - type: string - enabled: - type: boolean - network: - properties: - hostNetwork: - type: boolean - storage: - properties: - disruptionManagement: - properties: - managePodBudgets: - type: boolean - osdMaintenanceTimeout: - type: integer - manageMachineDisruptionBudgets: - type: boolean - useAllNodes: - type: boolean - nodes: - items: - properties: - name: - type: string - config: - properties: - metadataDevice: - type: string - storeType: - type: string - pattern: ^(filestore|bluestore)$ - databaseSizeMB: - type: string - walSizeMB: - type: string - journalSizeMB: - type: string - osdsPerDevice: - type: string - encryptedDevice: - type: string - pattern: ^(true|false)$ - useAllDevices: - type: boolean - deviceFilter: {} - directories: - type: array - items: - properties: - path: - type: string - devices: - type: array - items: - properties: - name: - type: string - config: {} - location: {} - resources: {} - type: array - useAllDevices: - type: boolean - deviceFilter: {} - location: {} - directories: - type: array - items: - properties: - path: - type: string - config: {} - topologyAware: - type: boolean - monitoring: - properties: - enabled: - type: boolean - rulesNamespace: - type: string - rbdMirroring: - properties: - workers: - type: integer - placement: {} - resources: {} - additionalPrinterColumns: - - name: DataDirHostPath - type: string - description: Directory used on the K8s nodes - JSONPath: .spec.dataDirHostPath - - name: MonCount - type: string - description: Number of MONs - JSONPath: .spec.mon.count - - name: Age - type: date - JSONPath: .metadata.creationTimestamp - - name: State - type: string - description: Current State - JSONPath: .status.state - - name: Health - type: string - description: Ceph Health - JSONPath: .status.ceph.health -# OLM: END CEPH CRD -# OLM: BEGIN CEPH FS CRD ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: cephfilesystems.ceph.rook.io -spec: - group: ceph.rook.io - names: - kind: CephFilesystem - listKind: CephFilesystemList - plural: cephfilesystems - singular: cephfilesystem - scope: Namespaced - version: v1 - validation: - openAPIV3Schema: - properties: - spec: - properties: - metadataServer: - properties: - activeCount: - minimum: 1 - maximum: 10 - type: integer - activeStandby: - type: boolean - annotations: {} - placement: {} - resources: {} - metadataPool: - properties: - failureDomain: - type: string - replicated: - properties: - size: - minimum: 1 - maximum: 10 - type: integer - erasureCoded: - properties: - dataChunks: - type: integer - codingChunks: - type: integer - dataPools: - type: array - items: - properties: - failureDomain: - type: string - replicated: - properties: - size: - minimum: 1 - maximum: 10 - type: integer - erasureCoded: - properties: - dataChunks: - type: integer - codingChunks: - type: integer - additionalPrinterColumns: - - name: ActiveMDS - type: string - description: Number of desired active MDS daemons - JSONPath: .spec.metadataServer.activeCount - - name: Age - type: date - JSONPath: .metadata.creationTimestamp -# OLM: END CEPH FS CRD -# OLM: BEGIN CEPH NFS CRD ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: cephnfses.ceph.rook.io -spec: - group: ceph.rook.io - names: - kind: CephNFS - listKind: CephNFSList - plural: cephnfses - singular: cephnfs - shortNames: - - nfs - scope: Namespaced - version: v1 - validation: - openAPIV3Schema: - properties: - spec: - properties: - rados: - properties: - pool: - type: string - namespace: - type: string - server: - properties: - active: - type: integer - annotations: {} - placement: {} - resources: {} - -# OLM: END CEPH NFS CRD -# OLM: BEGIN CEPH OBJECT STORE CRD ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: cephobjectstores.ceph.rook.io -spec: - group: ceph.rook.io - names: - kind: CephObjectStore - listKind: CephObjectStoreList - plural: cephobjectstores - singular: cephobjectstore - scope: Namespaced - version: v1 - validation: - openAPIV3Schema: - properties: - spec: - properties: - gateway: - properties: - type: - type: string - sslCertificateRef: {} - port: - type: integer - securePort: {} - instances: - type: integer - annotations: {} - placement: {} - resources: {} - metadataPool: - properties: - failureDomain: - type: string - replicated: - properties: - size: - type: integer - erasureCoded: - properties: - dataChunks: - type: integer - codingChunks: - type: integer - dataPool: - properties: - failureDomain: - type: string - replicated: - properties: - size: - type: integer - erasureCoded: - properties: - dataChunks: - type: integer - codingChunks: - type: integer -# OLM: END CEPH OBJECT STORE CRD -# OLM: BEGIN CEPH OBJECT STORE USERS CRD ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: cephobjectstoreusers.ceph.rook.io -spec: - group: ceph.rook.io - names: - kind: CephObjectStoreUser - listKind: CephObjectStoreUserList - plural: cephobjectstoreusers - singular: cephobjectstoreuser - scope: Namespaced - version: v1 -# OLM: END CEPH OBJECT STORE USERS CRD -# OLM: BEGIN CEPH BLOCK POOL CRD ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: cephblockpools.ceph.rook.io -spec: - group: ceph.rook.io - names: - kind: CephBlockPool - listKind: CephBlockPoolList - plural: cephblockpools - singular: cephblockpool - scope: Namespaced - version: v1 -# OLM: END CEPH BLOCK POOL CRD -# OLM: BEGIN CEPH VOLUME POOL CRD ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: volumes.rook.io -spec: - group: rook.io - names: - kind: Volume - listKind: VolumeList - plural: volumes - singular: volume - shortNames: - - rv - scope: Namespaced - version: v1alpha2 -# OLM: END CEPH VOLUME POOL CRD -# OLM: BEGIN OBJECTBUCKET CRD ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: objectbuckets.objectbucket.io -spec: - group: objectbucket.io - versions: - - name: v1alpha1 - served: true - storage: true - names: - kind: ObjectBucket - listKind: ObjectBucketList - plural: objectbuckets - singular: objectbucket - shortNames: - - ob - - obs - scope: Cluster - subresources: - status: {} -# OLM: END OBJECTBUCKET CRD -# OLM: BEGIN OBJECTBUCKETCLAIM CRD ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: objectbucketclaims.objectbucket.io -spec: - versions: - - name: v1alpha1 - served: true - storage: true - group: objectbucket.io - names: - kind: ObjectBucketClaim - listKind: ObjectBucketClaimList - plural: objectbucketclaims - singular: objectbucketclaim - shortNames: - - obc - - obcs - scope: Namespaced - subresources: - status: {} -# OLM: END OBJECTBUCKETCLAIM CRD + name: "{{ rook_namespace }}" # namespace:cluster # OLM: BEGIN OBJECTBUCKET ROLEBINDING --- kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rook-ceph-object-bucket roleRef: @@ -465,68 +46,75 @@ roleRef: subjects: - kind: ServiceAccount name: rook-ceph-system - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:operator # OLM: END OBJECTBUCKET ROLEBINDING # OLM: BEGIN OPERATOR ROLE --- -# The cluster role for managing all the cluster-specific resources in a namespace -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: v1 +kind: ServiceAccount +metadata: + name: rook-ceph-admission-controller + namespace: "{{ rook_namespace }}" # namespace:operator +--- kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: rook-ceph-cluster-mgmt - labels: - operator: rook - storage-backend: ceph -aggregationRule: - clusterRoleSelectors: - - matchLabels: - rbac.ceph.rook.io/aggregate-to-rook-ceph-cluster-mgmt: "true" -rules: [] + name: rook-ceph-admission-controller-role +rules: + - apiGroups: ["ceph.rook.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: rook-ceph-admission-controller-rolebinding +subjects: + - kind: ServiceAccount + name: rook-ceph-admission-controller + apiGroup: "" + namespace: "{{ rook_namespace }}" # namespace:operator +roleRef: + kind: ClusterRole + name: rook-ceph-admission-controller-role + apiGroup: rbac.authorization.k8s.io +--- +# The cluster role for managing all the cluster-specific resources in a namespace +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: rook-ceph-cluster-mgmt-rules + name: rook-ceph-cluster-mgmt labels: operator: rook storage-backend: ceph - rbac.ceph.rook.io/aggregate-to-rook-ceph-cluster-mgmt: "true" rules: - apiGroups: - "" + - apps + - extensions resources: - secrets - pods - pods/log - services - configmaps - verbs: - - get - - list - - watch - - patch - - create - - update - - delete -- apiGroups: - - apps - resources: - deployments - daemonsets verbs: - get - list - watch + - patch - create - update - delete --- # The role for the operator to manage resources in its own namespace -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: rook-ceph-system - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:operator labels: operator: rook storage-backend: ceph @@ -547,6 +135,7 @@ rules: - delete - apiGroups: - apps + - extensions resources: - daemonsets - statefulsets @@ -560,27 +149,13 @@ rules: - delete --- # The cluster role for managing the Rook CRDs -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: rook-ceph-global labels: operator: rook storage-backend: ceph -aggregationRule: - clusterRoleSelectors: - - matchLabels: - rbac.ceph.rook.io/aggregate-to-rook-ceph-global: "true" -rules: [] ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: rook-ceph-global-rules - labels: - operator: rook - storage-backend: ceph - rbac.ceph.rook.io/aggregate-to-rook-ceph-global: "true" rules: - apiGroups: - "" @@ -590,6 +165,7 @@ rules: # Node access is needed for determining nodes where mons should run - nodes - nodes/proxy + - services verbs: - get - list @@ -644,11 +220,13 @@ rules: - apiGroups: - policy - apps + - extensions resources: - #this is for the clusterdisruption controller + # This is for the clusterdisruption controller - poddisruptionbudgets - #this is for both clusterdisruption and nodedrain controllers + # This is for both clusterdisruption and nodedrain controllers - deployments + - replicasets verbs: - "*" - apiGroups: @@ -673,29 +251,30 @@ rules: - create - update - delete +- apiGroups: + - storage.k8s.io + resources: + - csidrivers + verbs: + - create + - delete + - get + - update +- apiGroups: + - k8s.cni.cncf.io + resources: + - network-attachment-definitions + verbs: + - get --- # Aspects of ceph-mgr that require cluster-wide access kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rook-ceph-mgr-cluster labels: operator: rook storage-backend: ceph -aggregationRule: - clusterRoleSelectors: - - matchLabels: - rbac.ceph.rook.io/aggregate-to-rook-ceph-mgr-cluster: "true" -rules: [] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: rook-ceph-mgr-cluster-rules - labels: - operator: rook - storage-backend: ceph - rbac.ceph.rook.io/aggregate-to-rook-ceph-mgr-cluster: "true" rules: - apiGroups: - "" @@ -719,13 +298,12 @@ rules: - watch --- kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rook-ceph-object-bucket labels: operator: rook storage-backend: ceph - rbac.ceph.rook.io/aggregate-to-rook-ceph-mgr-cluster: "true" rules: - apiGroups: - "" @@ -756,7 +334,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: rook-ceph-system - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:operator labels: operator: rook storage-backend: ceph @@ -768,10 +346,10 @@ metadata: --- # Grant the operator, agent, and discovery agents access to resources in the namespace kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rook-ceph-system - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:operator labels: operator: rook storage-backend: ceph @@ -782,14 +360,13 @@ roleRef: subjects: - kind: ServiceAccount name: rook-ceph-system - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:operator --- # Grant the rook system daemons cluster-wide access to manage the Rook CRDs, PVCs, and storage classes kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rook-ceph-global - namespace: "{{ rook_namespace }}" labels: operator: rook storage-backend: ceph @@ -800,7 +377,7 @@ roleRef: subjects: - kind: ServiceAccount name: rook-ceph-system - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:operator # OLM: END OPERATOR ROLEBINDING ################################################################################################################# # Beginning of cluster-specific resources. The example will assume the cluster will be created in the "rook-ceph" @@ -814,7 +391,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: rook-ceph-osd - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:cluster # imagePullSecrets: # - name: my-registry-secret @@ -826,7 +403,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: rook-ceph-mgr - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:cluster # imagePullSecrets: # - name: my-registry-secret @@ -837,15 +414,15 @@ apiVersion: v1 kind: ServiceAccount metadata: name: rook-ceph-cmd-reporter - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:cluster # OLM: END CMD REPORTER SERVICE ACCOUNT # OLM: BEGIN CLUSTER ROLE --- kind: Role -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rook-ceph-osd - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:cluster rules: - apiGroups: [""] resources: ["configmaps"] @@ -855,10 +432,9 @@ rules: verbs: [ "get", "list", "create", "update", "delete" ] --- kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rook-ceph-osd - namespace: "{{ rook_namespace }}" rules: - apiGroups: - "" @@ -870,23 +446,9 @@ rules: --- # Aspects of ceph-mgr that require access to the system namespace kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rook-ceph-mgr-system - namespace: "{{ rook_namespace }}" -aggregationRule: - clusterRoleSelectors: - - matchLabels: - rbac.ceph.rook.io/aggregate-to-rook-ceph-mgr-system: "true" -rules: [] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: rook-ceph-mgr-system-rules - namespace: "{{ rook_namespace }}" - labels: - rbac.ceph.rook.io/aggregate-to-rook-ceph-mgr-system: "true" rules: - apiGroups: - "" @@ -899,20 +461,22 @@ rules: --- # Aspects of ceph-mgr that operate within the cluster's namespace kind: Role -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rook-ceph-mgr - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:cluster rules: - apiGroups: - "" resources: - pods - services + - pods/log verbs: - get - list - watch + - delete - apiGroups: - batch resources: @@ -934,10 +498,10 @@ rules: # OLM: BEGIN CMD REPORTER ROLE --- kind: Role -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rook-ceph-cmd-reporter - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:cluster rules: - apiGroups: - "" @@ -956,10 +520,10 @@ rules: --- # Allow the operator to create resources in this cluster's namespace kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rook-ceph-cluster-mgmt - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:cluster roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -967,14 +531,14 @@ roleRef: subjects: - kind: ServiceAccount name: rook-ceph-system - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:operator --- # Allow the osd pods in this namespace to work with configmaps kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rook-ceph-osd - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:cluster roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -982,14 +546,14 @@ roleRef: subjects: - kind: ServiceAccount name: rook-ceph-osd - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:cluster --- # Allow the ceph mgr to access the cluster-specific resources necessary for the mgr modules kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rook-ceph-mgr - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:cluster roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -997,14 +561,14 @@ roleRef: subjects: - kind: ServiceAccount name: rook-ceph-mgr - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:cluster --- # Allow the ceph mgr to access the rook system resources necessary for the mgr modules kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rook-ceph-mgr-system - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:operator roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -1012,11 +576,11 @@ roleRef: subjects: - kind: ServiceAccount name: rook-ceph-mgr - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:cluster --- # Allow the ceph mgr to access cluster-wide resources necessary for the mgr modules kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rook-ceph-mgr-cluster roleRef: @@ -1026,12 +590,12 @@ roleRef: subjects: - kind: ServiceAccount name: rook-ceph-mgr - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:cluster --- # Allow the ceph osd to access cluster-wide resources necessary for determining their topology location kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rook-ceph-osd roleRef: @@ -1041,16 +605,16 @@ roleRef: subjects: - kind: ServiceAccount name: rook-ceph-osd - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:cluster # OLM: END CLUSTER ROLEBINDING # OLM: BEGIN CMD REPORTER ROLEBINDING --- kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rook-ceph-cmd-reporter - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:cluster roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -1058,7 +622,7 @@ roleRef: subjects: - kind: ServiceAccount name: rook-ceph-cmd-reporter - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:cluster # OLM: END CMD REPORTER ROLEBINDING ################################################################################################################# # Beginning of pod security policy resources. The example will assume the cluster will be created in the @@ -1070,7 +634,12 @@ subjects: apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: - name: rook-privileged + # Note: Kubernetes matches PSPs to deployments alphabetically. In some environments, this PSP may + # need to be renamed with a value that will match before others. + name: 00-rook-privileged + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' spec: privileged: true allowedCapabilities: @@ -1100,7 +669,6 @@ spec: - hostPath - flexVolume # allowedHostPaths can be set to Rook's known host volume mount points when they are fully-known - # directory-based OSDs make this hard to nail down # allowedHostPaths: # - pathPrefix: "/run/udev" # for OSD prep # readOnly: false @@ -1146,7 +714,7 @@ rules: resources: - podsecuritypolicies resourceNames: - - rook-privileged + - 00-rook-privileged verbs: - use --- @@ -1161,13 +729,13 @@ roleRef: subjects: - kind: ServiceAccount name: rook-ceph-system - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:operator --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: rook-ceph-default-psp - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:cluster roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -1175,13 +743,13 @@ roleRef: subjects: - kind: ServiceAccount name: default - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:cluster --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: rook-ceph-osd-psp - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:cluster roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -1189,13 +757,13 @@ roleRef: subjects: - kind: ServiceAccount name: rook-ceph-osd - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:cluster --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: rook-ceph-mgr-psp - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:cluster roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -1203,13 +771,13 @@ roleRef: subjects: - kind: ServiceAccount name: rook-ceph-mgr - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:cluster --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: rook-ceph-cmd-reporter-psp - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:cluster roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -1217,7 +785,7 @@ roleRef: subjects: - kind: ServiceAccount name: rook-ceph-cmd-reporter - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:cluster # OLM: END CLUSTER POD SECURITY POLICY BINDINGS # OLM: BEGIN CSI CEPHFS SERVICE ACCOUNT --- @@ -1225,21 +793,21 @@ apiVersion: v1 kind: ServiceAccount metadata: name: rook-csi-cephfs-plugin-sa - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:operator --- apiVersion: v1 kind: ServiceAccount metadata: name: rook-csi-cephfs-provisioner-sa - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:operator # OLM: END CSI CEPHFS SERVICE ACCOUNT # OLM: BEGIN CSI CEPHFS ROLE --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - namespace: "{{ rook_namespace }}" name: cephfs-external-provisioner-cfg + namespace: "{{ rook_namespace }}" # namespace:operator rules: - apiGroups: [""] resources: ["endpoints"] @@ -1257,11 +825,11 @@ kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cephfs-csi-provisioner-role-cfg - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:operator subjects: - kind: ServiceAccount name: rook-csi-cephfs-provisioner-sa - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:operator roleRef: kind: Role name: cephfs-external-provisioner-cfg @@ -1273,18 +841,6 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cephfs-csi-nodeplugin -aggregationRule: - clusterRoleSelectors: - - matchLabels: - rbac.ceph.rook.io/aggregate-to-cephfs-csi-nodeplugin: "true" -rules: [] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: cephfs-csi-nodeplugin-rules - labels: - rbac.ceph.rook.io/aggregate-to-cephfs-csi-nodeplugin: "true" rules: - apiGroups: [""] resources: ["nodes"] @@ -1306,25 +862,13 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cephfs-external-provisioner-runner -aggregationRule: - clusterRoleSelectors: - - matchLabels: - rbac.ceph.rook.io/aggregate-to-cephfs-external-provisioner-runner: "true" -rules: [] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: cephfs-external-provisioner-runner-rules - labels: - rbac.ceph.rook.io/aggregate-to-cephfs-external-provisioner-runner: "true" rules: - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list"] - apiGroups: [""] resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "create", "delete", "update"] + verbs: ["get", "list", "watch", "create", "delete", "update", "patch"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "list", "watch", "update"] @@ -1334,12 +878,36 @@ rules: - apiGroups: [""] resources: ["events"] verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["update"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["create", "list", "watch", "delete", "get", "update"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots/status"] + verbs: ["update"] - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments"] - verbs: ["get", "list", "watch", "update"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["patch"] - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] # OLM: END CSI CEPHFS CLUSTER ROLE # OLM: BEGIN CSI CEPHFS CLUSTER ROLEBINDING --- @@ -1354,7 +922,7 @@ roleRef: subjects: - kind: ServiceAccount name: rook-csi-cephfs-plugin-sa - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:operator --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -1367,7 +935,7 @@ roleRef: subjects: - kind: ServiceAccount name: rook-csi-cephfs-provisioner-sa - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:operator --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -1376,7 +944,7 @@ metadata: subjects: - kind: ServiceAccount name: rook-csi-cephfs-plugin-sa - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:operator roleRef: kind: ClusterRole name: cephfs-csi-nodeplugin @@ -1390,7 +958,7 @@ metadata: subjects: - kind: ServiceAccount name: rook-csi-cephfs-provisioner-sa - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:operator roleRef: kind: ClusterRole name: cephfs-external-provisioner-runner @@ -1402,28 +970,28 @@ apiVersion: v1 kind: ServiceAccount metadata: name: rook-csi-rbd-plugin-sa - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:operator --- apiVersion: v1 kind: ServiceAccount metadata: name: rook-csi-rbd-provisioner-sa - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:operator # OLM: END CSI RBD SERVICE ACCOUNT # OLM: BEGIN CSI RBD ROLE --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - namespace: "{{ rook_namespace }}" name: rbd-external-provisioner-cfg + namespace: "{{ rook_namespace }}" # namespace:operator rules: - apiGroups: [""] resources: ["endpoints"] verbs: ["get", "watch", "list", "delete", "update", "create"] - apiGroups: [""] resources: ["configmaps"] - verbs: ["get", "list", "watch", "create", "delete"] + verbs: ["get", "list", "watch", "create", "delete", "update"] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "watch", "list", "delete", "update", "create"] @@ -1434,11 +1002,11 @@ kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rbd-csi-provisioner-role-cfg - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:operator subjects: - kind: ServiceAccount name: rook-csi-rbd-provisioner-sa - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:operator roleRef: kind: Role name: rbd-external-provisioner-cfg @@ -1450,18 +1018,6 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rbd-csi-nodeplugin -aggregationRule: - clusterRoleSelectors: - - matchLabels: - rbac.ceph.rook.io/aggregate-to-rbd-csi-nodeplugin: "true" -rules: [] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rbd-csi-nodeplugin-rules - labels: - rbac.ceph.rook.io/aggregate-to-rbd-csi-nodeplugin: "true" rules: - apiGroups: [""] resources: ["secrets"] @@ -1486,31 +1042,22 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: rbd-external-provisioner-runner -aggregationRule: - clusterRoleSelectors: - - matchLabels: - rbac.ceph.rook.io/aggregate-to-rbd-external-provisioner-runner: "true" -rules: [] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: rbd-external-provisioner-runner-rules - labels: - rbac.ceph.rook.io/aggregate-to-rbd-external-provisioner-runner: "true" rules: - apiGroups: [""] resources: ["secrets"] - verbs: ["get", "list"] + verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "create", "delete", "update"] + verbs: ["get", "list", "watch", "create", "delete", "update", "patch"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "list", "watch", "update"] - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments"] - verbs: ["get", "list", "watch", "update"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["patch"] - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list", "watch"] @@ -1529,12 +1076,21 @@ rules: - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotclasses"] verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["update"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["create", "list", "watch", "delete", "get", "update"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshots/status"] verbs: ["update"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: [ "get"] # OLM: END CSI RBD CLUSTER ROLE # OLM: BEGIN CSI RBD CLUSTER ROLEBINDING --- @@ -1549,7 +1105,7 @@ roleRef: subjects: - kind: ServiceAccount name: rook-csi-rbd-plugin-sa - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:operator --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -1562,7 +1118,7 @@ roleRef: subjects: - kind: ServiceAccount name: rook-csi-rbd-provisioner-sa - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:operator --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -1571,7 +1127,7 @@ metadata: subjects: - kind: ServiceAccount name: rook-csi-rbd-plugin-sa - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:operator roleRef: kind: ClusterRole name: rbd-csi-nodeplugin @@ -1584,7 +1140,7 @@ metadata: subjects: - kind: ServiceAccount name: rook-csi-rbd-provisioner-sa - namespace: "{{ rook_namespace }}" + namespace: "{{ rook_namespace }}" # namespace:operator roleRef: kind: ClusterRole name: rbd-external-provisioner-runner