Blame - charts/rook-ceph/templates/psp.yaml - atmosphere

blob: 5e5385a12a58f69975f8b95f318d0b82b3e9a56f [file] [log] [blame]

okozachenko1203	2314726	2023-01-28 04:16:42 +1100	[diff] [blame]	1	{{- if .Values.pspEnable }}
				2	{{- if semverCompare "<1.25.0-0" .Capabilities.KubeVersion.GitVersion }}
				3	# We expect most Kubernetes teams to follow the Kubernetes docs and have these PSPs.
				4	# * privileged (for kube-system namespace)
				5	# * restricted (for all logged in users)
				6	#
				7	# PSPs are applied based on the first match alphabetically. `rook-ceph-operator` comes after
				8	# `restricted` alphabetically, so we name this `00-rook-privileged`, so it stays somewhere
				9	# close to the top and so `rook-system` gets the intended PSP. This may need to be renamed in
				10	# environments with other `00`-prefixed PSPs.
				11	#
				12	# More on PSP ordering: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#policy-order
				13	apiVersion: policy/v1beta1
				14	kind: PodSecurityPolicy
				15	metadata:
				16	name: 00-rook-privileged
				17	annotations:
				18	seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
				19	seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
				20	spec:
				21	privileged: true
				22	allowedCapabilities:
				23	# required by CSI
				24	- SYS_ADMIN
				25	- MKNOD
				26	fsGroup:
				27	rule: RunAsAny
				28	# runAsUser, supplementalGroups - Rook needs to run some pods as root
				29	# Ceph pods could be run as the Ceph user, but that user isn't always known ahead of time
				30	runAsUser:
				31	rule: RunAsAny
				32	supplementalGroups:
				33	rule: RunAsAny
				34	# seLinux - seLinux context is unknown ahead of time; set if this is well-known
				35	seLinux:
				36	rule: RunAsAny
				37	volumes:
				38	# recommended minimum set
				39	- configMap
				40	- downwardAPI
				41	- emptyDir
				42	- persistentVolumeClaim
				43	- secret
				44	- projected
				45	# required for Rook
				46	- hostPath
				47	# allowedHostPaths can be set to Rook's known host volume mount points when they are fully-known
				48	# allowedHostPaths:
				49	# - pathPrefix: "/run/udev" # for OSD prep
				50	# readOnly: false
				51	# - pathPrefix: "/dev" # for OSD prep
				52	# readOnly: false
				53	# - pathPrefix: "/var/lib/rook" # or whatever the dataDirHostPath value is set to
				54	# readOnly: false
				55	# Ceph requires host IPC for setting up encrypted devices
				56	hostIPC: true
				57	# Ceph OSDs need to share the same PID namespace
				58	hostPID: true
				59	# hostNetwork can be set to 'false' if host networking isn't used
				60	hostNetwork: true
				61	hostPorts:
				62	# Ceph messenger protocol v1
				63	- min: 6789
				64	max: 6790 # <- support old default port
				65	# Ceph messenger protocol v2
				66	- min: 3300
				67	max: 3300
				68	# Ceph RADOS ports for OSDs, MDSes
				69	- min: 6800
				70	max: 7300
				71	# # Ceph dashboard port HTTP (not recommended)
				72	# - min: 7000
				73	# max: 7000
				74	# Ceph dashboard port HTTPS
				75	- min: 8443
				76	max: 8443
				77	# Ceph mgr Prometheus Metrics
				78	- min: 9283
				79	max: 9283
				80	# port for CSIAddons
				81	- min: 9070
				82	max: 9070
				83	{{- if .Values.rbacEnable }}
				84	---
				85	apiVersion: rbac.authorization.k8s.io/v1
				86	kind: ClusterRole
				87	metadata:
				88	name: 'psp:rook'
				89	labels:
				90	operator: rook
				91	storage-backend: ceph
				92	{{- include "library.rook-ceph.labels" . \| nindent 4 }}
				93	rules:
				94	- apiGroups:
				95	- policy
				96	resources:
				97	- podsecuritypolicies
				98	resourceNames:
				99	- 00-rook-privileged
				100	verbs:
				101	- use
				102	---
				103	apiVersion: rbac.authorization.k8s.io/v1
				104	kind: ClusterRoleBinding
				105	metadata:
				106	name: rook-ceph-system-psp
				107	labels:
				108	operator: rook
				109	storage-backend: ceph
				110	{{- include "library.rook-ceph.labels" . \| nindent 4 }}
				111	roleRef:
				112	apiGroup: rbac.authorization.k8s.io
				113	kind: ClusterRole
				114	name: 'psp:rook'
				115	subjects:
				116	- kind: ServiceAccount
				117	name: rook-ceph-system
				118	namespace: {{ .Release.Namespace }} # namespace:operator
				119	---
				120	apiVersion: rbac.authorization.k8s.io/v1
				121	kind: ClusterRoleBinding
				122	metadata:
				123	name: rook-csi-cephfs-provisioner-sa-psp
				124	roleRef:
				125	apiGroup: rbac.authorization.k8s.io
				126	kind: ClusterRole
				127	name: 'psp:rook'
				128	subjects:
				129	- kind: ServiceAccount
				130	name: rook-csi-cephfs-provisioner-sa
				131	namespace: {{ .Release.Namespace }} # namespace:operator
				132	---
				133	apiVersion: rbac.authorization.k8s.io/v1
				134	kind: ClusterRoleBinding
				135	metadata:
				136	name: rook-csi-cephfs-plugin-sa-psp
				137	roleRef:
				138	apiGroup: rbac.authorization.k8s.io
				139	kind: ClusterRole
				140	name: 'psp:rook'
				141	subjects:
				142	- kind: ServiceAccount
				143	name: rook-csi-cephfs-plugin-sa
				144	namespace: {{ .Release.Namespace }} # namespace:operator
				145	---
				146	apiVersion: rbac.authorization.k8s.io/v1
				147	kind: ClusterRoleBinding
				148	metadata:
				149	name: rook-csi-rbd-plugin-sa-psp
				150	roleRef:
				151	apiGroup: rbac.authorization.k8s.io
				152	kind: ClusterRole
				153	name: 'psp:rook'
				154	subjects:
				155	- kind: ServiceAccount
				156	name: rook-csi-rbd-plugin-sa
				157	namespace: {{ .Release.Namespace }} # namespace:operator
				158	---
				159	apiVersion: rbac.authorization.k8s.io/v1
				160	kind: ClusterRoleBinding
				161	metadata:
				162	name: rook-csi-rbd-provisioner-sa-psp
				163	roleRef:
				164	apiGroup: rbac.authorization.k8s.io
				165	kind: ClusterRole
				166	name: 'psp:rook'
				167	subjects:
				168	- kind: ServiceAccount
				169	name: rook-csi-rbd-provisioner-sa
				170	namespace: {{ .Release.Namespace }} # namespace:operator
				171	{{- end }}
				172	{{- end }}
				173	{{- end }}