doc: Update capabilities readme to solve to open permissions in it #4469
Conversation
dragoangel
changed the title
|
Thanks for the PR! Please update the commit subject with |
nixpanic
changed the title
mergify
bot
added
ci/skip/e2e
|
@nixpanic now it's good? |
Thanks! Yes, I think it looks good. 2 reviews are needed to get it merged, maybe someone else has other comments. |
docs/capabilities.md
Outdated
| ``` | ||
|
|
||
| To get more insights on capabilities of CephFS you can refer | ||
| [this document](https://ceph.readthedocs.io/en/latest/cephfs/client-auth/) | ||
|
|
||
| ## Command to a create user with required capabilities | ||
|
|
||
| `kubernetes` in the below commands represents an user which is subjected | ||
| to change as per your requirement. | ||
| `USER`, `POOL` and `FS_NAME` with `SUB_VOL` variables bellow is subject to change, please adjust them to your needs. |
There was a problem hiding this comment.
Please add a linebreak before 80 chars.
./docs/capabilities.md:40: MD013 Line length
There was a problem hiding this comment.
@nixpanic can you please advice what about code blocks? Can they be longer? Like:
mds "allow r fsname=cephfs path=/volumes, allow rws fsname=cephfs path=/volumes/csi"
I fixed everything else, except that
There was a problem hiding this comment.
Thanks! I think code blocks should be fine. CI runs have been approved again, so we'll know in a few minutes :)
There was a problem hiding this comment.
Everything passed, looks good 👍
|
/test ci/centos/k8s-e2e-external-storage/1.29 |
|
/test ci/centos/upgrade-tests-cephfs |
|
/test ci/centos/mini-e2e-helm/k8s-1.29 |
|
/test ci/centos/upgrade-tests-rbd |
|
/test ci/centos/mini-e2e/k8s-1.29 |
|
/test ci/centos/k8s-e2e-external-storage/1.28 |
|
/test ci/centos/mini-e2e-helm/k8s-1.28 |
|
/test ci/centos/k8s-e2e-external-storage/1.27 |
|
/test ci/centos/mini-e2e/k8s-1.28 |
|
/test ci/centos/mini-e2e-helm/k8s-1.27 |
|
/test ci/centos/mini-e2e/k8s-1.27 |
| mds 'allow rw' | ||
| USER=csi-cephfs | ||
| FS_NAME=cephfs | ||
| SUB_VOL=csi |
There was a problem hiding this comment.
this will always be csi we dont allow changing it
There was a problem hiding this comment.
Actually this not true, it possible to change it to another subvolume, and I used it this way already to host multiply clusters on same cehpfs but on different subvolumes.
docs/capabilities.md
Outdated
| mon 'profile rbd' \ | ||
| osd 'profile rbd' \ | ||
| mgr 'allow rw' | ||
| USER=csi |
There was a problem hiding this comment.
USER=csi to USER=csi-rbd lets keep the names constant for both cephfs and rbd
There was a problem hiding this comment.
@Madhu-1 the point that ceph-csi-rbd and ceph-csi-cephfs is different deployments that can (and should) have different users that each has own permissions, I don't understand why they should be one mixed super overpowered thing. The point of this PR is to provide example of real permissions needed and not overgive permissions where it doesn't needed.
There was a problem hiding this comment.
i dont see any point in calling rbd user name as just csi user and cephfs as csi-cephfs, ideally both should be similar in the documented examples. but as its configurable users can configure it as per the requirement.
There was a problem hiding this comment.
I can change it to csi-rbd to align with csi-cephfs, so they will be definitely not same, but will look better, is this okay?
There was a problem hiding this comment.
Pushed, please review 😊
|
@Mergifyio queue |
🛑 The pull request has been removed from the queue
|
|
@Mergifyio rebase |
Signed-off-by: Dmytro Alieksieiev <1865999+dragoangel@users.noreply.github.com>
✅ Branch has been successfully rebased |
|
@Mergifyio queue |
✅ The pull request has been merged automaticallyThe pull request has been merged automatically at 6c43789 |
|
/test ci/centos/k8s-e2e-external-storage/1.27 |
|
/test ci/centos/mini-e2e-helm/k8s-1.27 |
|
/test ci/centos/k8s-e2e-external-storage/1.29 |
|
/test ci/centos/k8s-e2e-external-storage/1.28 |
|
/test ci/centos/mini-e2e/k8s-1.27 |
|
/test ci/centos/upgrade-tests-cephfs |
|
/test ci/centos/mini-e2e-helm/k8s-1.29 |
|
/test ci/centos/mini-e2e-helm/k8s-1.28 |
|
/test ci/centos/upgrade-tests-rbd |
|
/test ci/centos/mini-e2e/k8s-1.29 |
|
/test ci/centos/mini-e2e/k8s-1.28 |
Describe what this PR does
Update documentation about required capabilities by Ceph CSI plugin and improve examples:
provisionerwithcontrollerfromnodecapabilities, as they doesn't provide any security benefits at all, just confuse people.Is there anything that requires special attention
N/A
Related issues
#1818
Fixes: #2687
Future concerns
N/A
Checklist:
guidelines in the developer
guide.
Request
notes
updated with breaking and/or notable changes for the next major release.
Show available bot commands
These commands are normally not required, but in case of issues, leave any of
the following bot commands in an otherwise empty comment in this PR:
/retest ci/centos/<job-name>: retest the<job-name>after unrelatedfailure (please report the failure too!)