charts/rook-ceph/templates/psp.yaml - atmosphere - Gitiles

 {{- if .Values.pspEnable }}
 {{- if semverCompare "<1.25.0-0" .Capabilities.KubeVersion.GitVersion }}
 # We expect most Kubernetes teams to follow the Kubernetes docs and have these PSPs.
 # * privileged (for kube-system namespace)
 # * restricted (for all logged in users)
 #
 # PSPs are applied based on the first match alphabetically. `rook-ceph-operator` comes after
 # `restricted` alphabetically, so we name this `00-rook-privileged`, so it stays somewhere
 # close to the top and so `rook-system` gets the intended PSP. This may need to be renamed in
 # environments with other `00`-prefixed PSPs.
 #
 # More on PSP ordering: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#policy-order
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: 00-rook-privileged
   annotations:
     seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
     seccomp.security.alpha.kubernetes.io/defaultProfileName:  'runtime/default'
 spec:
   privileged: true
   allowedCapabilities:
     # required by CSI
     - SYS_ADMIN
     - MKNOD
   fsGroup:
     rule: RunAsAny
   # runAsUser, supplementalGroups - Rook needs to run some pods as root
   # Ceph pods could be run as the Ceph user, but that user isn't always known ahead of time
   runAsUser:
     rule: RunAsAny
   supplementalGroups:
     rule: RunAsAny
   # seLinux - seLinux context is unknown ahead of time; set if this is well-known
   seLinux:
     rule: RunAsAny
   volumes:
     # recommended minimum set
     - configMap
     - downwardAPI
     - emptyDir
     - persistentVolumeClaim
     - secret
     - projected
     # required for Rook
     - hostPath
   # allowedHostPaths can be set to Rook's known host volume mount points when they are fully-known
   # allowedHostPaths:
   #   - pathPrefix: "/run/udev"  # for OSD prep
   #     readOnly: false
   #   - pathPrefix: "/dev"  # for OSD prep
   #     readOnly: false
   #   - pathPrefix: "/var/lib/rook"  # or whatever the dataDirHostPath value is set to
   #     readOnly: false
   # Ceph requires host IPC for setting up encrypted devices
   hostIPC: true
   # Ceph OSDs need to share the same PID namespace
   hostPID: true
   # hostNetwork can be set to 'false' if host networking isn't used
   hostNetwork: true
   hostPorts:
     # Ceph messenger protocol v1
     - min: 6789
       max: 6790 # <- support old default port
     # Ceph messenger protocol v2
     - min: 3300
       max: 3300
     # Ceph RADOS ports for OSDs, MDSes
     - min: 6800
       max: 7300
     # # Ceph dashboard port HTTP (not recommended)
     # - min: 7000
     #   max: 7000
     # Ceph dashboard port HTTPS
     - min: 8443
       max: 8443
     # Ceph mgr Prometheus Metrics
     - min: 9283
       max: 9283
     # port for CSIAddons
     - min: 9070
       max: 9070
 {{- if .Values.rbacEnable }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: 'psp:rook'
   labels:
     operator: rook
     storage-backend: ceph
     {{- include "library.rook-ceph.labels" . | nindent 4 }}
 rules:
 - apiGroups:
   - policy
   resources:
   - podsecuritypolicies
   resourceNames:
   - 00-rook-privileged
   verbs:
   - use
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: rook-ceph-system-psp
   labels:
     operator: rook
     storage-backend: ceph
     {{- include "library.rook-ceph.labels" . | nindent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: 'psp:rook'
 subjects:
   - kind: ServiceAccount
     name: rook-ceph-system
     namespace: {{ .Release.Namespace }} # namespace:operator
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: rook-csi-cephfs-provisioner-sa-psp
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: 'psp:rook'
 subjects:
   - kind: ServiceAccount
     name: rook-csi-cephfs-provisioner-sa
     namespace: {{ .Release.Namespace }} # namespace:operator
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: rook-csi-cephfs-plugin-sa-psp
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: 'psp:rook'
 subjects:
   - kind: ServiceAccount
     name: rook-csi-cephfs-plugin-sa
     namespace: {{ .Release.Namespace }} # namespace:operator
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: rook-csi-rbd-plugin-sa-psp
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: 'psp:rook'
 subjects:
   - kind: ServiceAccount
     name: rook-csi-rbd-plugin-sa
     namespace: {{ .Release.Namespace }} # namespace:operator
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: rook-csi-rbd-provisioner-sa-psp
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: 'psp:rook'
 subjects:
   - kind: ServiceAccount
     name: rook-csi-rbd-provisioner-sa
     namespace: {{ .Release.Namespace }} # namespace:operator
 {{- end }}
 {{- end }}
 {{- end }}
	{{- if .Values.pspEnable }}
	{{- if semverCompare "<1.25.0-0" .Capabilities.KubeVersion.GitVersion }}
	# We expect most Kubernetes teams to follow the Kubernetes docs and have these PSPs.
	# * privileged (for kube-system namespace)
	# * restricted (for all logged in users)
	#
	# PSPs are applied based on the first match alphabetically. `rook-ceph-operator` comes after
	# `restricted` alphabetically, so we name this `00-rook-privileged`, so it stays somewhere
	# close to the top and so `rook-system` gets the intended PSP. This may need to be renamed in
	# environments with other `00`-prefixed PSPs.
	#
	# More on PSP ordering: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#policy-order
	apiVersion: policy/v1beta1
	kind: PodSecurityPolicy
	metadata:
	name: 00-rook-privileged
	annotations:
	seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
	seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
	spec:
	privileged: true
	allowedCapabilities:
	# required by CSI
	- SYS_ADMIN
	- MKNOD
	fsGroup:
	rule: RunAsAny
	# runAsUser, supplementalGroups - Rook needs to run some pods as root
	# Ceph pods could be run as the Ceph user, but that user isn't always known ahead of time
	runAsUser:
	rule: RunAsAny
	supplementalGroups:
	rule: RunAsAny
	# seLinux - seLinux context is unknown ahead of time; set if this is well-known
	seLinux:
	rule: RunAsAny
	volumes:
	# recommended minimum set
	- configMap
	- downwardAPI
	- emptyDir
	- persistentVolumeClaim
	- secret
	- projected
	# required for Rook
	- hostPath
	# allowedHostPaths can be set to Rook's known host volume mount points when they are fully-known
	# allowedHostPaths:
	# - pathPrefix: "/run/udev" # for OSD prep
	# readOnly: false
	# - pathPrefix: "/dev" # for OSD prep
	# readOnly: false
	# - pathPrefix: "/var/lib/rook" # or whatever the dataDirHostPath value is set to
	# readOnly: false
	# Ceph requires host IPC for setting up encrypted devices
	hostIPC: true
	# Ceph OSDs need to share the same PID namespace
	hostPID: true
	# hostNetwork can be set to 'false' if host networking isn't used
	hostNetwork: true
	hostPorts:
	# Ceph messenger protocol v1
	- min: 6789
	max: 6790 # <- support old default port
	# Ceph messenger protocol v2
	- min: 3300
	max: 3300
	# Ceph RADOS ports for OSDs, MDSes
	- min: 6800
	max: 7300
	# # Ceph dashboard port HTTP (not recommended)
	# - min: 7000
	# max: 7000
	# Ceph dashboard port HTTPS
	- min: 8443
	max: 8443
	# Ceph mgr Prometheus Metrics
	- min: 9283
	max: 9283
	# port for CSIAddons
	- min: 9070
	max: 9070
	{{- if .Values.rbacEnable }}
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRole
	metadata:
	name: 'psp:rook'
	labels:
	operator: rook
	storage-backend: ceph
	{{- include "library.rook-ceph.labels" . \| nindent 4 }}
	rules:
	- apiGroups:
	- policy
	resources:
	- podsecuritypolicies
	resourceNames:
	- 00-rook-privileged
	verbs:
	- use
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRoleBinding
	metadata:
	name: rook-ceph-system-psp
	labels:
	operator: rook
	storage-backend: ceph
	{{- include "library.rook-ceph.labels" . \| nindent 4 }}
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: 'psp:rook'
	subjects:
	- kind: ServiceAccount
	name: rook-ceph-system
	namespace: {{ .Release.Namespace }} # namespace:operator
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRoleBinding
	metadata:
	name: rook-csi-cephfs-provisioner-sa-psp
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: 'psp:rook'
	subjects:
	- kind: ServiceAccount
	name: rook-csi-cephfs-provisioner-sa
	namespace: {{ .Release.Namespace }} # namespace:operator
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRoleBinding
	metadata:
	name: rook-csi-cephfs-plugin-sa-psp
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: 'psp:rook'
	subjects:
	- kind: ServiceAccount
	name: rook-csi-cephfs-plugin-sa
	namespace: {{ .Release.Namespace }} # namespace:operator
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRoleBinding
	metadata:
	name: rook-csi-rbd-plugin-sa-psp
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: 'psp:rook'
	subjects:
	- kind: ServiceAccount
	name: rook-csi-rbd-plugin-sa
	namespace: {{ .Release.Namespace }} # namespace:operator
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRoleBinding
	metadata:
	name: rook-csi-rbd-provisioner-sa-psp
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: 'psp:rook'
	subjects:
	- kind: ServiceAccount
	name: rook-csi-rbd-provisioner-sa
	namespace: {{ .Release.Namespace }} # namespace:operator
	{{- end }}
	{{- end }}
	{{- end }}