From d56c9abbce3c90c4c9339b299fb44d153145812c Mon Sep 17 00:00:00 2001 From: Ruslan Khizhnyak Date: Thu, 21 Mar 2024 01:58:05 +0300 Subject: [PATCH 1/2] helm: CSIDriver add labels and seLinuxMount disabling method Signed-off-by: Ruslan Khizhnyak --- .../templates/csidriver-crd.yaml | 10 ++++++++-- charts/ceph-csi-cephfs/values.yaml | 1 + .../ceph-csi-rbd/templates/csidriver-crd.yaml | 10 ++++++++-- charts/ceph-csi-rbd/values.yaml | 18 ++++++++++++++++++ 4 files changed, 35 insertions(+), 4 deletions(-) diff --git a/charts/ceph-csi-cephfs/templates/csidriver-crd.yaml b/charts/ceph-csi-cephfs/templates/csidriver-crd.yaml index f6fe14a3e5e..5aacbe271ab 100644 --- a/charts/ceph-csi-cephfs/templates/csidriver-crd.yaml +++ b/charts/ceph-csi-cephfs/templates/csidriver-crd.yaml @@ -2,10 +2,16 @@ apiVersion: storage.k8s.io/v1 kind: CSIDriver metadata: name: {{ .Values.driverName }} + labels: + app: {{ include "ceph-csi-cephfs.name" . }} + chart: {{ include "ceph-csi-cephfs.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} spec: attachRequired: false podInfoOnMount: false - fsGroupPolicy: {{ default "File" .Values.CSIDriver.fsGroupPolicy }} -{{- if semverCompare ">= 1.25.x" .Capabilities.KubeVersion.Version }} + fsGroupPolicy: {{ .Values.CSIDriver.fsGroupPolicy }} +{{- if and (semverCompare ">= 1.25.x" .Capabilities.KubeVersion.Version) .Values.seLinuxMount }} seLinuxMount: true {{- end }} diff --git a/charts/ceph-csi-cephfs/values.yaml b/charts/ceph-csi-cephfs/values.yaml index f222a65544a..36d350b7ce1 100644 --- a/charts/ceph-csi-cephfs/values.yaml +++ b/charts/ceph-csi-cephfs/values.yaml @@ -57,6 +57,7 @@ sidecarLogLevel: 1 # accessModes contains ReadWriteOnce. CSIDriver: fsGroupPolicy: "File" + seLinuxMount: true nodeplugin: name: nodeplugin diff --git a/charts/ceph-csi-rbd/templates/csidriver-crd.yaml b/charts/ceph-csi-rbd/templates/csidriver-crd.yaml index 99026f628aa..d1524527e0f 100644 --- a/charts/ceph-csi-rbd/templates/csidriver-crd.yaml +++ b/charts/ceph-csi-rbd/templates/csidriver-crd.yaml @@ -2,10 +2,16 @@ apiVersion: storage.k8s.io/v1 kind: CSIDriver metadata: name: {{ .Values.driverName }} + labels: + app: {{ include "ceph-csi-rbd.name" . }} + chart: {{ include "ceph-csi-rbd.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} spec: attachRequired: true podInfoOnMount: false - fsGroupPolicy: File -{{- if semverCompare ">= 1.25.x" .Capabilities.KubeVersion.Version }} + fsGroupPolicy: {{ .Values.CSIDriver.fsGroupPolicy }} +{{- if and (semverCompare ">= 1.25.x" .Capabilities.KubeVersion.Version) .Values.seLinuxMount }} seLinuxMount: true {{- end }} diff --git a/charts/ceph-csi-rbd/values.yaml b/charts/ceph-csi-rbd/values.yaml index 1ad00ffa578..20e39cd8d21 100644 --- a/charts/ceph-csi-rbd/values.yaml +++ b/charts/ceph-csi-rbd/values.yaml @@ -69,6 +69,24 @@ logLevel: 5 # sidecarLogLevel is the variable for Kubernetes sidecar container's log level sidecarLogLevel: 1 +# Set fsGroupPolicy for CSI Driver object spec +# https://kubernetes-csi.github.io/docs/support-fsgroup.html +# The following modes are supported: +# - None: Indicates that volumes will be mounted with no modifications, as the +# CSI volume driver does not support these operations. +# - File: Indicates that the CSI volume driver supports volume ownership and +# permission change via fsGroup, and Kubernetes may use fsGroup to change +# permissions and ownership of the volume to match user requested fsGroup in +# the pod's SecurityPolicy regardless of fstype or access mode. +# - ReadWriteOnceWithFSType: Indicates that volumes will be examined to +# determine if volume ownership and permissions should be modified to match +# the pod's security policy. +# Changes will only occur if the fsType is defined and the persistent volume's +# accessModes contains ReadWriteOnce. +CSIDriver: + fsGroupPolicy: "File" + seLinuxMount: true + nodeplugin: name: nodeplugin # set user created priorityclassName for csi plugin pods. default is From 5224d58c130d08db5b1bf79e0d2c1aaedf28a923 Mon Sep 17 00:00:00 2001 From: NymanRobin Date: Mon, 18 Mar 2024 10:50:13 +0200 Subject: [PATCH 2/2] cephfs: add support for encryption in ceph-csi-cephfs chart the chart currently lacks access to configmap and secrets this causes the mounting of encrypted file systems to fail Signed-off-by: NymanRobin --- .../ceph-csi-cephfs/templates/nodeplugin-clusterrole.yaml | 6 ++++++ .../ceph-csi-cephfs/templates/provisioner-clusterrole.yaml | 3 +++ 2 files changed, 9 insertions(+) diff --git a/charts/ceph-csi-cephfs/templates/nodeplugin-clusterrole.yaml b/charts/ceph-csi-cephfs/templates/nodeplugin-clusterrole.yaml index ec61a67137b..632672ebd54 100644 --- a/charts/ceph-csi-cephfs/templates/nodeplugin-clusterrole.yaml +++ b/charts/ceph-csi-cephfs/templates/nodeplugin-clusterrole.yaml @@ -14,4 +14,10 @@ rules: - apiGroups: [""] resources: ["nodes"] verbs: ["get"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] {{- end -}} diff --git a/charts/ceph-csi-cephfs/templates/provisioner-clusterrole.yaml b/charts/ceph-csi-cephfs/templates/provisioner-clusterrole.yaml index e080e62734b..1405655e99c 100644 --- a/charts/ceph-csi-cephfs/templates/provisioner-clusterrole.yaml +++ b/charts/ceph-csi-cephfs/templates/provisioner-clusterrole.yaml @@ -14,6 +14,9 @@ rules: - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "create", "update", "delete","patch"]