Merge pull request #18 from andrewh1978/onrootmismatch

move back to px-bench namespace; fix permissions on both vanilla and ocp
andrewh1978 · Dec 7, 2023 · f8c1f0f · f8c1f0f
2 parents f2733e0 + ab53424
commit f8c1f0f
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 5 deletions.
diff --git a/px-bench-env.yml b/px-bench-env.yml
@@ -1,9 +1,13 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: px-bench
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: env
-
+  namespace: px-bench
 ######
 # Options that control the underlying fio benchmark utility. These equate to the same-named option in fio
 #
@@ -45,4 +49,4 @@ data:
   readwrite_list: "read write readwrite"        # valid values are read, write, randread, readwrite (or rw), randrw.
   storageclass_list: "storageclass-1 storageclass-2"    # Existing storageclasses for use by the benchmarks
   warmup_blocksize: 256k
-  warmup_loops: "1"
+  warmup_loops: "1"
diff --git a/px-bench-main.yml b/px-bench-main.yml
@@ -1,8 +1,8 @@
----
 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: files
+  namespace: px-bench
 data:
   run.sh: |-
     #!/usr/bin/bash
@@ -50,6 +50,7 @@ data:
     apiVersion: v1
     metadata:
        name: mnt-$sc
+       namespace: px-bench
     spec:
        storageClassName: $sc
        accessModes:
@@ -65,13 +66,16 @@ data:
     kind: Job
     metadata:
       name: fio
+      namespace: px-bench
     spec:
       template:
         metadata:
           name: fio
           labels:
             px-bench: fio
         spec:
+          securityContext:
+            fsGroupChangePolicy: "OnRootMismatch"
           serviceAccountName: px-bench
           terminationGracePeriodSeconds: 0
           containers:
@@ -80,7 +84,6 @@ data:
             imagePullPolicy: "Always"
             command: [ "/bin/bash", "/px-bench/fio.sh" ]
             securityContext:
-              runAsNonRoot: true
               allowPrivilegeEscalation: false
               seccompProfile:
                 type: RuntimeDefault
@@ -163,11 +166,13 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: px-bench
+  namespace: px-bench
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: px-bench
+  namespace: px-bench
 rules:
   - apiGroups: [""]
     resources:
@@ -188,6 +193,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: px-bench
+  namespace: px-bench
 subjects:
   - kind: ServiceAccount
     name: px-bench
@@ -200,13 +206,16 @@ apiVersion: batch/v1
 kind: Job
 metadata:
   name: run
+  namespace: px-bench
 spec:
   template:
     metadata:
       name: run
       labels:
         px-bench: run
     spec:
+      securityContext:
+        fsGroupChangePolicy: "OnRootMismatch"
       serviceAccountName: px-bench
       terminationGracePeriodSeconds: 0
       containers:
@@ -215,7 +224,6 @@ spec:
         imagePullPolicy: "Always"
         command: [ "/bin/bash", "/px-bench/run.sh" ]
         securityContext:
-          runAsNonRoot: true
           allowPrivilegeEscalation: false
           seccompProfile:
             type: RuntimeDefault