Skip to content

Commit 4a74124

Browse files
TorLdreXartos
TorLdre
authored and
Xartos
committed
rook: add option to enable cephfs csi
1 parent 4e99233 commit 4a74124

File tree

4 files changed

+194
-1
lines changed

4 files changed

+194
-1
lines changed

rook/helmfile.d/values/networkpolicies.yaml.gotmpl

Lines changed: 93 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,16 @@ rules:
4545
- tcp: 6800
4646
end: 7300
4747

48+
{{- if .Values | get "csi.enableCephfsDriver" false }}
49+
egress-rule-mds:
50+
peers:
51+
- podSelectorLabels:
52+
app: rook-ceph-mds
53+
ports:
54+
- tcp: 6800
55+
end: 7568
56+
{{- end }}
57+
4858
peers-rule-nodes:
4959
peers: {{- toYaml $netpol.nodePeers | nindent 6 }}
5060

@@ -87,6 +97,9 @@ policies:
8797
- rule: egress-rule-mgr
8898
- rule: egress-rule-mon
8999
- rule: egress-rule-osd
100+
{{- if .Values | get "csi.enableCephfsDriver" false }}
101+
- rule: egress-rule-mds
102+
{{- end }}
90103
ingress:
91104
- rule: ingress-rule-apiserver
92105
ports:
@@ -128,6 +141,9 @@ policies:
128141
- rule: egress-rule-apiserver
129142
- rule: egress-rule-mon
130143
- rule: egress-rule-osd
144+
{{- if .Values | get "csi.enableCephfsDriver" false }}
145+
- rule: egress-rule-mds
146+
{{- end }}
131147
ingress:
132148
- name: ingress-rule-blackbox
133149
ports:
@@ -149,6 +165,12 @@ policies:
149165
app: rook-ceph-osd
150166
- podSelectorLabels:
151167
app: rook-ceph-crashcollector
168+
{{- if .Values | get "csi.enableCephfsDriver" false }}
169+
- podSelectorLabels:
170+
app: csi-cephfsplugin-provisioner
171+
- podSelectorLabels:
172+
app: rook-ceph-mds
173+
{{- end }}
152174
ports:
153175
- tcp: 6800
154176

@@ -161,6 +183,9 @@ policies:
161183
- rule: egress-rule-mgr
162184
- rule: egress-rule-mon
163185
- rule: egress-rule-osd
186+
{{- if .Values | get "csi.enableCephfsDriver" false }}
187+
- rule: egress-rule-mds
188+
{{- end }}
164189
ingress:
165190
- rule: peers-rule-nodes
166191
ports:
@@ -183,6 +208,12 @@ policies:
183208
app: rook-ceph-crashcollector
184209
- podSelectorLabels:
185210
app: rook-ceph-exporter
211+
{{- if .Values | get "csi.enableCephfsDriver" false }}
212+
- podSelectorLabels:
213+
app: csi-cephfsplugin-provisioner
214+
- podSelectorLabels:
215+
app: rook-ceph-mds
216+
{{- end }}
186217
ports:
187218
- tcp: 3300
188219
- tcp: 6789
@@ -195,6 +226,9 @@ policies:
195226
- rule: egress-rule-mgr
196227
- rule: egress-rule-mon
197228
- rule: egress-rule-osd
229+
{{- if .Values | get "csi.enableCephfsDriver" false }}
230+
- rule: egress-rule-mds
231+
{{- end }}
198232
- rule: peers-rule-nodes
199233
ports:
200234
- tcp: 6800
@@ -215,6 +249,12 @@ policies:
215249
app: rook-ceph-mgr
216250
- podSelectorLabels:
217251
app: rook-ceph-osd
252+
{{- if .Values | get "csi.enableCephfsDriver" false }}
253+
- podSelectorLabels:
254+
app: csi-cephfsplugin-provisioner
255+
- podSelectorLabels:
256+
app: rook-ceph-mds
257+
{{- end }}
218258
ports:
219259
- tcp: 6800
220260
end: 7300
@@ -233,3 +273,56 @@ policies:
233273
egress:
234274
- rule: egress-rule-mgr
235275
- rule: egress-rule-mon
276+
{{- if .Values | get "csi.enableCephfsDriver" false }}
277+
- rule: egress-rule-mds
278+
{{- end }}
279+
280+
{{- if .Values | get "csi.enableCephfsDriver" false }}
281+
csi-cephfsplugin-provisioner:
282+
podSelectorLabels:
283+
app: csi-cephfsplugin-provisioner
284+
egress:
285+
- rule: egress-rule-apiserver
286+
- rule: egress-rule-mgr
287+
- rule: egress-rule-mon
288+
- rule: egress-rule-mds
289+
- rule: egress-rule-osd
290+
291+
ceph-file-controller-detect-version:
292+
podSelectorLabels:
293+
app: ceph-file-controller-detect-version
294+
egress:
295+
- rule: egress-rule-apiserver
296+
297+
mds:
298+
podSelectorLabels:
299+
app: rook-ceph-mds
300+
egress:
301+
- rule: egress-rule-apiserver
302+
- rule: egress-rule-mgr
303+
- rule: egress-rule-mon
304+
- rule: egress-rule-osd
305+
ingress:
306+
- rule: peers-rule-nodes
307+
ports:
308+
- tcp: 6800
309+
end: 7568
310+
- peers:
311+
- podSelectorLabels:
312+
app: csi-cephfsplugin-provisioner
313+
- podSelectorLabels:
314+
app: rook-ceph-operator
315+
- podSelectorLabels:
316+
app.kubernetes.io/name: rook-ceph-toolbox
317+
- podSelectorLabels:
318+
app: rook-ceph-mon
319+
- podSelectorLabels:
320+
app: rook-ceph-osd
321+
- podSelectorLabels:
322+
app: rook-ceph-mgr
323+
- podSelectorLabels:
324+
app: rook-ceph-crashcollector
325+
ports:
326+
- tcp: 6800
327+
end: 7568
328+
{{- end }}

rook/helmfile.d/values/operator.yaml.gotmpl

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ tolerations: {{- toYaml . | nindent 2 }}
1616
{{- end }}
1717

1818
csi:
19-
enableCephfsDriver: false
19+
enableCephfsDriver: {{ .Values | get "csi.enableCephfsDriver" false }}
2020

2121
csiRBDProvisionerResource: |
2222
{{- range $name, $config := omit .Values.provisioner "tolerations" }}

rook/helmfile.d/values/podsecuritypolicies.yaml.gotmpl

Lines changed: 94 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -242,3 +242,97 @@ constraints:
242242
rule: RunAsAny
243243
mutation:
244244
dropAllCapabilities: false
245+
246+
{{ if .Values | get "csi.enableCephfsDriver" false }}
247+
cephfs-ctrl-detect-version:
248+
podSelectorLabels:
249+
app: ceph-file-controller-detect-version
250+
allow:
251+
volumes:
252+
- emptyDir
253+
- projected
254+
mutation:
255+
runAsGroup: 2016
256+
runAsUser: 2016
257+
fsGroup: 2016
258+
259+
csi-cephfsplugin-provisioner:
260+
podSelectorLabels:
261+
app: csi-cephfsplugin-provisioner
262+
allow:
263+
volumes:
264+
- configMap
265+
- emptyDir
266+
- hostPath
267+
- projected
268+
allowedHostPaths:
269+
- pathPrefix: /dev
270+
- pathPrefix: /lib/modules
271+
- pathPrefix: /sys
272+
runAsUser:
273+
rule: RunAsAny
274+
runAsGroup:
275+
rule: RunAsAny
276+
supplementalGroups:
277+
rule: RunAsAny
278+
fsGroup:
279+
rule: RunAsAny
280+
mutation:
281+
dropAllCapabilities: false
282+
283+
csi-cephfsplugin:
284+
podSelectorLabels:
285+
app: csi-cephfsplugin
286+
allow:
287+
allowPrivilegeEscalation: true
288+
hostNetworkPorts: true
289+
hostNamespace: true
290+
privileged: true
291+
volumes:
292+
- configMap
293+
- emptyDir
294+
- hostPath
295+
- projected
296+
allowedHostPaths:
297+
- pathPrefix: /dev
298+
- pathPrefix: /lib/modules
299+
- pathPrefix: /run/mount
300+
- pathPrefix: /run/udev
301+
- pathPrefix: /sys
302+
- pathPrefix: /var/lib/rook
303+
- pathPrefix: /var/lib/kubelet/plugins_registry
304+
- pathPrefix: /var/lib/kubelet/plugins
305+
- pathPrefix: /var/lib/kubelet/pods
306+
runAsUser:
307+
rule: RunAsAny
308+
runAsGroup:
309+
rule: RunAsAny
310+
supplementalGroups:
311+
rule: RunAsAny
312+
fsGroup:
313+
rule: RunAsAny
314+
mutation:
315+
dropAllCapabilities: false
316+
317+
mds:
318+
podSelectorLabels:
319+
app: rook-ceph-mds
320+
allow:
321+
volumes:
322+
- emptyDir
323+
- hostPath
324+
- projected
325+
- secret
326+
allowedHostPaths:
327+
- pathPrefix: /var/lib/rook
328+
runAsUser:
329+
rule: RunAsAny
330+
runAsGroup:
331+
rule: RunAsAny
332+
supplementalGroups:
333+
rule: RunAsAny
334+
fsGroup:
335+
rule: RunAsAny
336+
mutation:
337+
dropAllCapabilities: false
338+
{{ end }}

rook/template/values.yaml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -203,3 +203,9 @@ clusters:
203203
networkPolicies:
204204
apiserverPeers: []
205205
nodePeers: []
206+
csi:
207+
# when true, the rook operator will install the necessary compononents
208+
# for creating cephfs volumes in the workload cluster, which facilitate
209+
# RWX mounts. This adds operational overhead in the form of
210+
# metadata (mds), cephfs provisioner, and plugin pods in the ceph cluster.
211+
enableCephfsDriver: false

0 commit comments

Comments
 (0)