The documentation is not sufficient to deploy Ceph-CSI Operator on OpenShift #292
Description
Describe the bug
When deploying ceph-csi-operator on OpenShift, it fails to create Pods for the Ceph-CSI drivers.
Environment details
- Image/version of ceph-csi-operator : latest
- Image/version of Ceph-CSI driver : default picked by the operator
- Kubernetes cluster version : OpenShift 4.18 (but likely any version)
- Ceph cluster version : v19
Steps to reproduce
Steps to reproduce the behavior:
- Setup details: follow the quickstart or kubernetes installation
- Deployments are created, Pods can not be started
Actual results
Ceph-CSI driver Pods are not started.
Expected behavior
Ceph-CSI driver Pods are started.
Additional context
It seems the SecurityContextConstraints are missing. Something similar to these need to be added with the right Namespace for the ServiceAccounts:
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: ceph-csi-op-scc
allowHostDirVolumePlugin: true
allowHostIPC: true
allowHostNetwork: true
allowHostPID: true
allowHostPorts: true
allowPrivilegeEscalation: true
allowPrivilegedContainer: true
allowedCapabilities:
- SYS_ADMIN
defaultAddCapabilities: null
fsGroup:
type: RunAsAny
groups: []
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities: null
runAsUser:
type: RunAsAny
seLinuxContext:
type: RunAsAny
supplementalGroups:
type: RunAsAny
users:
- system:serviceaccount:${NAMESPACE}:ceph-csi-cephfs-ctrlplugin-sa
- system:serviceaccount:${NAMESPACE}:ceph-csi-cephfs-nodeplugin-sa
- system:serviceaccount:${NAMESPACE}:ceph-csi-nfs-ctrlplugin-sa
- system:serviceaccount:${NAMESPACE}:ceph-csi-nfs-nodeplugin-sa
- system:serviceaccount:${NAMESPACE}:ceph-csi-rbd-ctrlplugin-sa
- system:serviceaccount:${NAMESPACE}:ceph-csi-rbd-nodeplugin-sa
volumes:
- configMap
- emptyDir
- hostPath
- projected