diff --git a/charts/ceph-csi-cephfs/templates/csidriver-crd.yaml b/charts/ceph-csi-cephfs/templates/csidriver-crd.yaml index f6fe14a3e5e..5aacbe271ab 100644 --- a/charts/ceph-csi-cephfs/templates/csidriver-crd.yaml +++ b/charts/ceph-csi-cephfs/templates/csidriver-crd.yaml @@ -2,10 +2,16 @@ apiVersion: storage.k8s.io/v1 kind: CSIDriver metadata: name: {{ .Values.driverName }} + labels: + app: {{ include "ceph-csi-cephfs.name" . }} + chart: {{ include "ceph-csi-cephfs.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} spec: attachRequired: false podInfoOnMount: false - fsGroupPolicy: {{ default "File" .Values.CSIDriver.fsGroupPolicy }} -{{- if semverCompare ">= 1.25.x" .Capabilities.KubeVersion.Version }} + fsGroupPolicy: {{ .Values.CSIDriver.fsGroupPolicy }} +{{- if and (semverCompare ">= 1.25.x" .Capabilities.KubeVersion.Version) .Values.seLinuxMount }} seLinuxMount: true {{- end }} diff --git a/charts/ceph-csi-cephfs/templates/nodeplugin-clusterrole.yaml b/charts/ceph-csi-cephfs/templates/nodeplugin-clusterrole.yaml index ec61a67137b..632672ebd54 100644 --- a/charts/ceph-csi-cephfs/templates/nodeplugin-clusterrole.yaml +++ b/charts/ceph-csi-cephfs/templates/nodeplugin-clusterrole.yaml @@ -14,4 +14,10 @@ rules: - apiGroups: [""] resources: ["nodes"] verbs: ["get"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] {{- end -}} diff --git a/charts/ceph-csi-cephfs/templates/provisioner-clusterrole.yaml b/charts/ceph-csi-cephfs/templates/provisioner-clusterrole.yaml index e080e62734b..1405655e99c 100644 --- a/charts/ceph-csi-cephfs/templates/provisioner-clusterrole.yaml +++ b/charts/ceph-csi-cephfs/templates/provisioner-clusterrole.yaml @@ -14,6 +14,9 @@ rules: - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "create", "update", "delete","patch"] diff --git a/charts/ceph-csi-cephfs/values.yaml b/charts/ceph-csi-cephfs/values.yaml index f222a65544a..36d350b7ce1 100644 --- a/charts/ceph-csi-cephfs/values.yaml +++ b/charts/ceph-csi-cephfs/values.yaml @@ -57,6 +57,7 @@ sidecarLogLevel: 1 # accessModes contains ReadWriteOnce. CSIDriver: fsGroupPolicy: "File" + seLinuxMount: true nodeplugin: name: nodeplugin diff --git a/charts/ceph-csi-rbd/templates/csidriver-crd.yaml b/charts/ceph-csi-rbd/templates/csidriver-crd.yaml index 99026f628aa..d1524527e0f 100644 --- a/charts/ceph-csi-rbd/templates/csidriver-crd.yaml +++ b/charts/ceph-csi-rbd/templates/csidriver-crd.yaml @@ -2,10 +2,16 @@ apiVersion: storage.k8s.io/v1 kind: CSIDriver metadata: name: {{ .Values.driverName }} + labels: + app: {{ include "ceph-csi-rbd.name" . }} + chart: {{ include "ceph-csi-rbd.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} spec: attachRequired: true podInfoOnMount: false - fsGroupPolicy: File -{{- if semverCompare ">= 1.25.x" .Capabilities.KubeVersion.Version }} + fsGroupPolicy: {{ .Values.CSIDriver.fsGroupPolicy }} +{{- if and (semverCompare ">= 1.25.x" .Capabilities.KubeVersion.Version) .Values.seLinuxMount }} seLinuxMount: true {{- end }} diff --git a/charts/ceph-csi-rbd/values.yaml b/charts/ceph-csi-rbd/values.yaml index 1ad00ffa578..20e39cd8d21 100644 --- a/charts/ceph-csi-rbd/values.yaml +++ b/charts/ceph-csi-rbd/values.yaml @@ -69,6 +69,24 @@ logLevel: 5 # sidecarLogLevel is the variable for Kubernetes sidecar container's log level sidecarLogLevel: 1 +# Set fsGroupPolicy for CSI Driver object spec +# https://kubernetes-csi.github.io/docs/support-fsgroup.html +# The following modes are supported: +# - None: Indicates that volumes will be mounted with no modifications, as the +# CSI volume driver does not support these operations. +# - File: Indicates that the CSI volume driver supports volume ownership and +# permission change via fsGroup, and Kubernetes may use fsGroup to change +# permissions and ownership of the volume to match user requested fsGroup in +# the pod's SecurityPolicy regardless of fstype or access mode. +# - ReadWriteOnceWithFSType: Indicates that volumes will be examined to +# determine if volume ownership and permissions should be modified to match +# the pod's security policy. +# Changes will only occur if the fsType is defined and the persistent volume's +# accessModes contains ReadWriteOnce. +CSIDriver: + fsGroupPolicy: "File" + seLinuxMount: true + nodeplugin: name: nodeplugin # set user created priorityclassName for csi plugin pods. default is