| {{- if .Values.pspEnable }} |
| {{- if semverCompare "<1.25.0-0" .Capabilities.KubeVersion.GitVersion }} |
| # We expect most Kubernetes teams to follow the Kubernetes docs and have these PSPs. |
| # * privileged (for kube-system namespace) |
| # * restricted (for all logged in users) |
| # |
| # PSPs are applied based on the first match alphabetically. `rook-ceph-operator` comes after |
| # `restricted` alphabetically, so we name this `00-rook-privileged`, so it stays somewhere |
| # close to the top and so `rook-system` gets the intended PSP. This may need to be renamed in |
| # environments with other `00`-prefixed PSPs. |
| # |
| # More on PSP ordering: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#policy-order |
| apiVersion: policy/v1beta1 |
| kind: PodSecurityPolicy |
| metadata: |
| name: 00-rook-privileged |
| annotations: |
| seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default' |
| seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' |
| spec: |
| privileged: true |
| allowedCapabilities: |
| # required by CSI |
| - SYS_ADMIN |
| - MKNOD |
| fsGroup: |
| rule: RunAsAny |
| # runAsUser, supplementalGroups - Rook needs to run some pods as root |
| # Ceph pods could be run as the Ceph user, but that user isn't always known ahead of time |
| runAsUser: |
| rule: RunAsAny |
| supplementalGroups: |
| rule: RunAsAny |
| # seLinux - seLinux context is unknown ahead of time; set if this is well-known |
| seLinux: |
| rule: RunAsAny |
| volumes: |
| # recommended minimum set |
| - configMap |
| - downwardAPI |
| - emptyDir |
| - persistentVolumeClaim |
| - secret |
| - projected |
| # required for Rook |
| - hostPath |
| # allowedHostPaths can be set to Rook's known host volume mount points when they are fully-known |
| # allowedHostPaths: |
| # - pathPrefix: "/run/udev" # for OSD prep |
| # readOnly: false |
| # - pathPrefix: "/dev" # for OSD prep |
| # readOnly: false |
| # - pathPrefix: "/var/lib/rook" # or whatever the dataDirHostPath value is set to |
| # readOnly: false |
| # Ceph requires host IPC for setting up encrypted devices |
| hostIPC: true |
| # Ceph OSDs need to share the same PID namespace |
| hostPID: true |
| # hostNetwork can be set to 'false' if host networking isn't used |
| hostNetwork: true |
| hostPorts: |
| # Ceph messenger protocol v1 |
| - min: 6789 |
| max: 6790 # <- support old default port |
| # Ceph messenger protocol v2 |
| - min: 3300 |
| max: 3300 |
| # Ceph RADOS ports for OSDs, MDSes |
| - min: 6800 |
| max: 7300 |
| # # Ceph dashboard port HTTP (not recommended) |
| # - min: 7000 |
| # max: 7000 |
| # Ceph dashboard port HTTPS |
| - min: 8443 |
| max: 8443 |
| # Ceph mgr Prometheus Metrics |
| - min: 9283 |
| max: 9283 |
| # port for CSIAddons |
| - min: 9070 |
| max: 9070 |
| {{- if .Values.rbacEnable }} |
| --- |
| apiVersion: rbac.authorization.k8s.io/v1 |
| kind: ClusterRole |
| metadata: |
| name: 'psp:rook' |
| labels: |
| operator: rook |
| storage-backend: ceph |
| {{- include "library.rook-ceph.labels" . | nindent 4 }} |
| rules: |
| - apiGroups: |
| - policy |
| resources: |
| - podsecuritypolicies |
| resourceNames: |
| - 00-rook-privileged |
| verbs: |
| - use |
| --- |
| apiVersion: rbac.authorization.k8s.io/v1 |
| kind: ClusterRoleBinding |
| metadata: |
| name: rook-ceph-system-psp |
| labels: |
| operator: rook |
| storage-backend: ceph |
| {{- include "library.rook-ceph.labels" . | nindent 4 }} |
| roleRef: |
| apiGroup: rbac.authorization.k8s.io |
| kind: ClusterRole |
| name: 'psp:rook' |
| subjects: |
| - kind: ServiceAccount |
| name: rook-ceph-system |
| namespace: {{ .Release.Namespace }} # namespace:operator |
| --- |
| apiVersion: rbac.authorization.k8s.io/v1 |
| kind: ClusterRoleBinding |
| metadata: |
| name: rook-csi-cephfs-provisioner-sa-psp |
| roleRef: |
| apiGroup: rbac.authorization.k8s.io |
| kind: ClusterRole |
| name: 'psp:rook' |
| subjects: |
| - kind: ServiceAccount |
| name: rook-csi-cephfs-provisioner-sa |
| namespace: {{ .Release.Namespace }} # namespace:operator |
| --- |
| apiVersion: rbac.authorization.k8s.io/v1 |
| kind: ClusterRoleBinding |
| metadata: |
| name: rook-csi-cephfs-plugin-sa-psp |
| roleRef: |
| apiGroup: rbac.authorization.k8s.io |
| kind: ClusterRole |
| name: 'psp:rook' |
| subjects: |
| - kind: ServiceAccount |
| name: rook-csi-cephfs-plugin-sa |
| namespace: {{ .Release.Namespace }} # namespace:operator |
| --- |
| apiVersion: rbac.authorization.k8s.io/v1 |
| kind: ClusterRoleBinding |
| metadata: |
| name: rook-csi-rbd-plugin-sa-psp |
| roleRef: |
| apiGroup: rbac.authorization.k8s.io |
| kind: ClusterRole |
| name: 'psp:rook' |
| subjects: |
| - kind: ServiceAccount |
| name: rook-csi-rbd-plugin-sa |
| namespace: {{ .Release.Namespace }} # namespace:operator |
| --- |
| apiVersion: rbac.authorization.k8s.io/v1 |
| kind: ClusterRoleBinding |
| metadata: |
| name: rook-csi-rbd-provisioner-sa-psp |
| roleRef: |
| apiGroup: rbac.authorization.k8s.io |
| kind: ClusterRole |
| name: 'psp:rook' |
| subjects: |
| - kind: ServiceAccount |
| name: rook-csi-rbd-provisioner-sa |
| namespace: {{ .Release.Namespace }} # namespace:operator |
| {{- end }} |
| {{- end }} |
| {{- end }} |