This repository has been archived by the owner on Jul 8, 2024. It is now read-only.
feat(helm): update rook-ceph-suite to v1.10.2 (minor) #718
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![stimpy-bot[bot]](https://avatars.githubusercontent.com/in/180432?s=60&v=4){kind=small}
stimpy-bot
bot
added
renovate/container
renovate/helm
type/minor
size/XS
|
Path: @@ -197,9 +197,29 @@
- apiGroups:
- ceph.rook.io
resources:
- - "*"
+ - cephclients
+ - cephclusters
+ - cephblockpools
+ - cephfilesystems
+ - cephnfses
+ - cephobjectstores
+ - cephobjectstoreusers
+ - cephobjectrealms
+ - cephobjectzonegroups
+ - cephobjectzones
+ - cephbuckettopics
+ - cephbucketnotifications
+ - cephrbdmirrors
+ - cephfilesystemmirrors
+ - cephfilesystemsubvolumegroups
+ - cephblockpoolradosnamespaces
verbs:
- - "*"
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - delete
- apiGroups:
- apps
resources:
@@ -557,7 +577,7 @@
enabled: true
cephVersion:
allowUnsupported: false
- image: quay.io/ceph/ceph:v16.2.9
+ image: quay.io/ceph/ceph:v17.2.3
cleanupPolicy:
allowUninstallWithVolumes: false
confirmation: "" |
|
Path: @@ -225,18 +225,19 @@
ROOK_CSI_ENABLE_RBD: "true"
ROOK_CSI_ENABLE_CEPHFS: "false"
CSI_ENABLE_CEPHFS_SNAPSHOTTER: "false"
+ CSI_ENABLE_NFS_SNAPSHOTTER: "true"
CSI_ENABLE_RBD_SNAPSHOTTER: "true"
CSI_PLUGIN_ENABLE_SELINUX_HOST_MOUNT: "false"
CSI_ENABLE_ENCRYPTION: "false"
CSI_ENABLE_OMAP_GENERATOR: "false"
CSI_ENABLE_HOST_NETWORK: "true"
+ CSI_ENABLE_METADATA: "false"
CSI_PLUGIN_PRIORITY_CLASSNAME: "system-node-critical"
CSI_PROVISIONER_PRIORITY_CLASSNAME: "system-cluster-critical"
- CSI_RBD_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
- CSI_CEPHFS_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
- CSI_NFS_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
+ CSI_RBD_FSGROUPPOLICY: "File"
+ CSI_CEPHFS_FSGROUPPOLICY: "File"
+ CSI_NFS_FSGROUPPOLICY: "File"
ROOK_CSI_ENABLE_GRPC_METRICS: "false"
- CSI_ENABLE_VOLUME_REPLICATION: "false"
CSI_ENABLE_CSIADDONS: "false"
ROOK_CSI_ENABLE_NFS: "false"
CSI_FORCE_CEPHFS_KERNEL_CLIENT: "true"
@@ -644,6 +645,8 @@
- list
---
# Source: rook-ceph/templates/clusterrole.yaml
+# TODO: remove this, once https://github.com/rook/rook/issues/10141
+# is resolved.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
@@ -651,19 +654,7 @@
rules:
- apiGroups: [""]
resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["namespaces"]
- verbs: ["get", "list"]
- - apiGroups: [""]
- resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: ["storage.k8s.io"]
- resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list"]
+ verbs: ["get"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -676,10 +667,10 @@
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
+ verbs: ["get", "list", "watch", "create", "delete", "patch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
@@ -688,30 +679,24 @@
verbs: ["list", "watch", "create", "update", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update", "patch"]
+ verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments/status"]
verbs: ["patch"]
- apiGroups: [""]
- resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
resources: ["persistentvolumeclaims/status"]
- verbs: ["update", "patch"]
+ verbs: ["patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
- verbs: ["get", "list", "watch", "update", "patch"]
- - apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents"]
- verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
+ verbs: ["get", "list"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents/status"]
- verbs: ["update", "patch"]
+ resources: ["volumesnapshotcontents"]
+ verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshots/status"]
+ resources: ["volumesnapshotcontents/status"]
verbs: ["update", "patch"]
---
# Source: rook-ceph/templates/clusterrole.yaml
@@ -730,20 +715,14 @@
resources: ["secrets"]
verbs: ["get", "list"]
- apiGroups: [""]
- resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["namespaces"]
- verbs: ["get", "list"]
- - apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list"]
- apiGroups: [""]
resources: ["configmaps"]
- verbs: ["get", "list"]
+ verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
@@ -762,13 +741,19 @@
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
+ verbs: ["get", "list", "watch", "create", "delete", "patch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["storage.k8s.io"]
+ resources: ["storageclasses"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["list", "watch", "create", "update", "patch"]
+ - apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update", "patch"]
+ verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments/status"]
verbs: ["patch"]
@@ -776,44 +761,26 @@
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["storage.k8s.io"]
- resources: ["storageclasses"]
+ resources: ["csinodes"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
- resources: ["events"]
- verbs: ["list", "watch", "create", "update", "patch"]
+ resources: ["persistentvolumeclaims/status"]
+ verbs: ["patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
- verbs: ["get", "list", "watch", "update", "patch"]
- - apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents"]
- verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
+ verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents/status"]
- verbs: ["update", "patch"]
+ resources: ["volumesnapshotcontents"]
+ verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshots/status"]
- verbs: ["update", "patch"]
- - apiGroups: [""]
- resources: ["persistentvolumeclaims/status"]
+ resources: ["volumesnapshotcontents/status"]
verbs: ["update", "patch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications", "volumereplicationclasses"]
- verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications/finalizers"]
- verbs: ["update"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications/status"]
- verbs: ["get", "patch", "update"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplicationclasses/status"]
- verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
@@ -946,20 +913,6 @@
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
- name: cephfs-csi-nodeplugin
-subjects:
- - kind: ServiceAccount
- name: rook-csi-cephfs-plugin-sa
- namespace: default # namespace:operator
-roleRef:
- kind: ClusterRole
- name: cephfs-csi-nodeplugin
- apiGroup: rbac.authorization.k8s.io
----
-# Source: rook-ceph/templates/clusterrolebinding.yaml
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
name: cephfs-csi-provisioner-role
subjects:
- kind: ServiceAccount
@@ -1131,9 +1084,29 @@
- apiGroups:
- ceph.rook.io
resources:
- - "*"
+ - cephclients
+ - cephclusters
+ - cephblockpools
+ - cephfilesystems
+ - cephnfses
+ - cephobjectstores
+ - cephobjectstoreusers
+ - cephobjectrealms
+ - cephobjectzonegroups
+ - cephobjectzones
+ - cephbuckettopics
+ - cephbucketnotifications
+ - cephrbdmirrors
+ - cephfilesystemmirrors
+ - cephfilesystemsubvolumegroups
+ - cephblockpoolradosnamespaces
verbs:
- - "*"
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - delete
- apiGroups:
- apps
resources:
@@ -1292,12 +1265,6 @@
name: cephfs-external-provisioner-cfg
namespace: default # namespace:operator
rules:
- - apiGroups: [""]
- resources: ["endpoints"]
- verbs: ["get", "watch", "list", "delete", "update", "create"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list", "create", "delete"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
@@ -1309,12 +1276,6 @@
name: rbd-external-provisioner-cfg
namespace: default # namespace:operator
rules:
- - apiGroups: [""]
- resources: ["endpoints"]
- verbs: ["get", "watch", "list", "delete", "update", "create"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list", "watch", "create", "delete", "update"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
@@ -1635,7 +1596,7 @@
spec:
containers:
- name: rook-ceph-operator
- image: "rook/ceph:v1.9.7"
+ image: "rook/ceph:v1.10.1"
imagePullPolicy: IfNotPresent
args: ["ceph", "operator"]
securityContext:
@@ -1649,6 +1610,10 @@
name: default-config-dir
- mountPath: /etc/webhook
name: webhook-cert
+ ports:
+ - containerPort: 9443
+ name: https-webhook
+ protocol: TCP
env:
- name: ROOK_CURRENT_NAMESPACE_ONLY
value: "false" |
🦙 MegaLinter status: ✅ SUCCESS
See detailed report in MegaLinter reports MegaLinter is graciously provided by |
stimpy-bot
bot
force-pushed
the
renovate/rook-ceph-suite
branch
from
b202aa9 to
dbb0ce0
Compare
stimpy-bot
bot
changed the title
|
Path: @@ -197,9 +197,29 @@
- apiGroups:
- ceph.rook.io
resources:
- - "*"
+ - cephclients
+ - cephclusters
+ - cephblockpools
+ - cephfilesystems
+ - cephnfses
+ - cephobjectstores
+ - cephobjectstoreusers
+ - cephobjectrealms
+ - cephobjectzonegroups
+ - cephobjectzones
+ - cephbuckettopics
+ - cephbucketnotifications
+ - cephrbdmirrors
+ - cephfilesystemmirrors
+ - cephfilesystemsubvolumegroups
+ - cephblockpoolradosnamespaces
verbs:
- - "*"
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - delete
- apiGroups:
- apps
resources:
@@ -557,7 +577,7 @@
enabled: true
cephVersion:
allowUnsupported: false
- image: quay.io/ceph/ceph:v16.2.9
+ image: quay.io/ceph/ceph:v17.2.3
cleanupPolicy:
allowUninstallWithVolumes: false
confirmation: "" |
|
Path: @@ -225,19 +225,21 @@
ROOK_CSI_ENABLE_RBD: "true"
ROOK_CSI_ENABLE_CEPHFS: "false"
CSI_ENABLE_CEPHFS_SNAPSHOTTER: "false"
+ CSI_ENABLE_NFS_SNAPSHOTTER: "true"
CSI_ENABLE_RBD_SNAPSHOTTER: "true"
CSI_PLUGIN_ENABLE_SELINUX_HOST_MOUNT: "false"
CSI_ENABLE_ENCRYPTION: "false"
CSI_ENABLE_OMAP_GENERATOR: "false"
CSI_ENABLE_HOST_NETWORK: "true"
+ CSI_ENABLE_METADATA: "false"
CSI_PLUGIN_PRIORITY_CLASSNAME: "system-node-critical"
CSI_PROVISIONER_PRIORITY_CLASSNAME: "system-cluster-critical"
- CSI_RBD_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
- CSI_CEPHFS_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
- CSI_NFS_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
+ CSI_RBD_FSGROUPPOLICY: "File"
+ CSI_CEPHFS_FSGROUPPOLICY: "File"
+ CSI_NFS_FSGROUPPOLICY: "File"
ROOK_CSI_ENABLE_GRPC_METRICS: "false"
- CSI_ENABLE_VOLUME_REPLICATION: "false"
CSI_ENABLE_CSIADDONS: "false"
+ CSI_ENABLE_TOPOLOGY: "false"
ROOK_CSI_ENABLE_NFS: "false"
CSI_FORCE_CEPHFS_KERNEL_CLIENT: "true"
CSI_GRPC_TIMEOUT_SECONDS: "150"
@@ -644,6 +646,8 @@
- list
---
# Source: rook-ceph/templates/clusterrole.yaml
+# TODO: remove this, once https://github.com/rook/rook/issues/10141
+# is resolved.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
@@ -651,19 +655,7 @@
rules:
- apiGroups: [""]
resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["namespaces"]
- verbs: ["get", "list"]
- - apiGroups: [""]
- resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: ["storage.k8s.io"]
- resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list"]
+ verbs: ["get"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -676,10 +668,10 @@
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
+ verbs: ["get", "list", "watch", "create", "delete", "patch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
@@ -688,30 +680,24 @@
verbs: ["list", "watch", "create", "update", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update", "patch"]
+ verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments/status"]
verbs: ["patch"]
- apiGroups: [""]
- resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
resources: ["persistentvolumeclaims/status"]
- verbs: ["update", "patch"]
+ verbs: ["patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
- verbs: ["get", "list", "watch", "update", "patch"]
- - apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents"]
- verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
+ verbs: ["get", "list"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents/status"]
- verbs: ["update", "patch"]
+ resources: ["volumesnapshotcontents"]
+ verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshots/status"]
+ resources: ["volumesnapshotcontents/status"]
verbs: ["update", "patch"]
---
# Source: rook-ceph/templates/clusterrole.yaml
@@ -730,26 +716,23 @@
resources: ["secrets"]
verbs: ["get", "list"]
- apiGroups: [""]
- resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["namespaces"]
- verbs: ["get", "list"]
- - apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list"]
- apiGroups: [""]
resources: ["configmaps"]
- verbs: ["get", "list"]
+ verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
+ - apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -762,13 +745,19 @@
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
+ verbs: ["get", "list", "watch", "create", "delete", "patch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["storage.k8s.io"]
+ resources: ["storageclasses"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["list", "watch", "create", "update", "patch"]
+ - apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update", "patch"]
+ verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments/status"]
verbs: ["patch"]
@@ -776,50 +765,38 @@
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["storage.k8s.io"]
- resources: ["storageclasses"]
+ resources: ["csinodes"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
- resources: ["events"]
- verbs: ["list", "watch", "create", "update", "patch"]
+ resources: ["persistentvolumeclaims/status"]
+ verbs: ["patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
- verbs: ["get", "list", "watch", "update", "patch"]
- - apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents"]
- verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
+ verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents/status"]
- verbs: ["update", "patch"]
+ resources: ["volumesnapshotcontents"]
+ verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshots/status"]
- verbs: ["update", "patch"]
- - apiGroups: [""]
- resources: ["persistentvolumeclaims/status"]
+ resources: ["volumesnapshotcontents/status"]
verbs: ["update", "patch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications", "volumereplicationclasses"]
- verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications/finalizers"]
- verbs: ["update"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications/status"]
- verbs: ["get", "patch", "update"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplicationclasses/status"]
- verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
+ - apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get", "list", watch"]
+ - apiGroups: ["storage.k8s.io"]
+ resources: ["csinodes"]
+ verbs: ["get", "list", "watch"]
---
# Source: rook-ceph/templates/psp.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -946,20 +923,6 @@
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
- name: cephfs-csi-nodeplugin
-subjects:
- - kind: ServiceAccount
- name: rook-csi-cephfs-plugin-sa
- namespace: default # namespace:operator
-roleRef:
- kind: ClusterRole
- name: cephfs-csi-nodeplugin
- apiGroup: rbac.authorization.k8s.io
----
-# Source: rook-ceph/templates/clusterrolebinding.yaml
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
name: cephfs-csi-provisioner-role
subjects:
- kind: ServiceAccount
@@ -1131,9 +1094,29 @@
- apiGroups:
- ceph.rook.io
resources:
- - "*"
+ - cephclients
+ - cephclusters
+ - cephblockpools
+ - cephfilesystems
+ - cephnfses
+ - cephobjectstores
+ - cephobjectstoreusers
+ - cephobjectrealms
+ - cephobjectzonegroups
+ - cephobjectzones
+ - cephbuckettopics
+ - cephbucketnotifications
+ - cephrbdmirrors
+ - cephfilesystemmirrors
+ - cephfilesystemsubvolumegroups
+ - cephblockpoolradosnamespaces
verbs:
- - "*"
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - delete
- apiGroups:
- apps
resources:
@@ -1292,12 +1275,6 @@
name: cephfs-external-provisioner-cfg
namespace: default # namespace:operator
rules:
- - apiGroups: [""]
- resources: ["endpoints"]
- verbs: ["get", "watch", "list", "delete", "update", "create"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list", "create", "delete"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
@@ -1309,12 +1286,6 @@
name: rbd-external-provisioner-cfg
namespace: default # namespace:operator
rules:
- - apiGroups: [""]
- resources: ["endpoints"]
- verbs: ["get", "watch", "list", "delete", "update", "create"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list", "watch", "create", "delete", "update"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
@@ -1635,7 +1606,7 @@
spec:
containers:
- name: rook-ceph-operator
- image: "rook/ceph:v1.9.7"
+ image: "rook/ceph:v1.10.2"
imagePullPolicy: IfNotPresent
args: ["ceph", "operator"]
securityContext:
@@ -1649,6 +1620,10 @@
name: default-config-dir
- mountPath: /etc/webhook
name: webhook-cert
+ ports:
+ - containerPort: 9443
+ name: https-webhook
+ protocol: TCP
env:
- name: ROOK_CURRENT_NAMESPACE_ONLY
value: "false" |
renovate
bot
force-pushed
the
renovate/rook-ceph-suite
branch
from
dbb0ce0 to
f027268
Compare
|
Path: @@ -197,9 +197,29 @@
- apiGroups:
- ceph.rook.io
resources:
- - "*"
+ - cephclients
+ - cephclusters
+ - cephblockpools
+ - cephfilesystems
+ - cephnfses
+ - cephobjectstores
+ - cephobjectstoreusers
+ - cephobjectrealms
+ - cephobjectzonegroups
+ - cephobjectzones
+ - cephbuckettopics
+ - cephbucketnotifications
+ - cephrbdmirrors
+ - cephfilesystemmirrors
+ - cephfilesystemsubvolumegroups
+ - cephblockpoolradosnamespaces
verbs:
- - "*"
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - delete
- apiGroups:
- apps
resources:
@@ -557,7 +577,7 @@
enabled: true
cephVersion:
allowUnsupported: false
- image: quay.io/ceph/ceph:v16.2.9
+ image: quay.io/ceph/ceph:v17.2.3
cleanupPolicy:
allowUninstallWithVolumes: false
confirmation: "" |
|
Path: @@ -225,19 +225,21 @@
ROOK_CSI_ENABLE_RBD: "true"
ROOK_CSI_ENABLE_CEPHFS: "false"
CSI_ENABLE_CEPHFS_SNAPSHOTTER: "false"
+ CSI_ENABLE_NFS_SNAPSHOTTER: "true"
CSI_ENABLE_RBD_SNAPSHOTTER: "true"
CSI_PLUGIN_ENABLE_SELINUX_HOST_MOUNT: "false"
CSI_ENABLE_ENCRYPTION: "false"
CSI_ENABLE_OMAP_GENERATOR: "false"
CSI_ENABLE_HOST_NETWORK: "true"
+ CSI_ENABLE_METADATA: "false"
CSI_PLUGIN_PRIORITY_CLASSNAME: "system-node-critical"
CSI_PROVISIONER_PRIORITY_CLASSNAME: "system-cluster-critical"
- CSI_RBD_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
- CSI_CEPHFS_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
- CSI_NFS_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
+ CSI_RBD_FSGROUPPOLICY: "File"
+ CSI_CEPHFS_FSGROUPPOLICY: "File"
+ CSI_NFS_FSGROUPPOLICY: "File"
ROOK_CSI_ENABLE_GRPC_METRICS: "false"
- CSI_ENABLE_VOLUME_REPLICATION: "false"
CSI_ENABLE_CSIADDONS: "false"
+ CSI_ENABLE_TOPOLOGY: "false"
ROOK_CSI_ENABLE_NFS: "false"
CSI_FORCE_CEPHFS_KERNEL_CLIENT: "true"
CSI_GRPC_TIMEOUT_SECONDS: "150"
@@ -644,6 +646,8 @@
- list
---
# Source: rook-ceph/templates/clusterrole.yaml
+# TODO: remove this, once https://github.com/rook/rook/issues/10141
+# is resolved.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
@@ -651,19 +655,7 @@
rules:
- apiGroups: [""]
resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["namespaces"]
- verbs: ["get", "list"]
- - apiGroups: [""]
- resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: ["storage.k8s.io"]
- resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list"]
+ verbs: ["get"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -676,10 +668,10 @@
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
+ verbs: ["get", "list", "watch", "create", "delete", "patch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
@@ -688,30 +680,24 @@
verbs: ["list", "watch", "create", "update", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update", "patch"]
+ verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments/status"]
verbs: ["patch"]
- apiGroups: [""]
- resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
resources: ["persistentvolumeclaims/status"]
- verbs: ["update", "patch"]
+ verbs: ["patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
- verbs: ["get", "list", "watch", "update", "patch"]
- - apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents"]
- verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
+ verbs: ["get", "list"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents/status"]
- verbs: ["update", "patch"]
+ resources: ["volumesnapshotcontents"]
+ verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshots/status"]
+ resources: ["volumesnapshotcontents/status"]
verbs: ["update", "patch"]
---
# Source: rook-ceph/templates/clusterrole.yaml
@@ -730,26 +716,23 @@
resources: ["secrets"]
verbs: ["get", "list"]
- apiGroups: [""]
- resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["namespaces"]
- verbs: ["get", "list"]
- - apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list"]
- apiGroups: [""]
resources: ["configmaps"]
- verbs: ["get", "list"]
+ verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
+ - apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -762,13 +745,19 @@
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
+ verbs: ["get", "list", "watch", "create", "delete", "patch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["storage.k8s.io"]
+ resources: ["storageclasses"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["list", "watch", "create", "update", "patch"]
+ - apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update", "patch"]
+ verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments/status"]
verbs: ["patch"]
@@ -776,50 +765,38 @@
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["storage.k8s.io"]
- resources: ["storageclasses"]
+ resources: ["csinodes"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
- resources: ["events"]
- verbs: ["list", "watch", "create", "update", "patch"]
+ resources: ["persistentvolumeclaims/status"]
+ verbs: ["patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
- verbs: ["get", "list", "watch", "update", "patch"]
- - apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents"]
- verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
+ verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents/status"]
- verbs: ["update", "patch"]
+ resources: ["volumesnapshotcontents"]
+ verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshots/status"]
- verbs: ["update", "patch"]
- - apiGroups: [""]
- resources: ["persistentvolumeclaims/status"]
+ resources: ["volumesnapshotcontents/status"]
verbs: ["update", "patch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications", "volumereplicationclasses"]
- verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications/finalizers"]
- verbs: ["update"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications/status"]
- verbs: ["get", "patch", "update"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplicationclasses/status"]
- verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
+ - apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get", "list", watch"]
+ - apiGroups: ["storage.k8s.io"]
+ resources: ["csinodes"]
+ verbs: ["get", "list", "watch"]
---
# Source: rook-ceph/templates/psp.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -946,20 +923,6 @@
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
- name: cephfs-csi-nodeplugin
-subjects:
- - kind: ServiceAccount
- name: rook-csi-cephfs-plugin-sa
- namespace: default # namespace:operator
-roleRef:
- kind: ClusterRole
- name: cephfs-csi-nodeplugin
- apiGroup: rbac.authorization.k8s.io
----
-# Source: rook-ceph/templates/clusterrolebinding.yaml
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
name: cephfs-csi-provisioner-role
subjects:
- kind: ServiceAccount
@@ -1131,9 +1094,29 @@
- apiGroups:
- ceph.rook.io
resources:
- - "*"
+ - cephclients
+ - cephclusters
+ - cephblockpools
+ - cephfilesystems
+ - cephnfses
+ - cephobjectstores
+ - cephobjectstoreusers
+ - cephobjectrealms
+ - cephobjectzonegroups
+ - cephobjectzones
+ - cephbuckettopics
+ - cephbucketnotifications
+ - cephrbdmirrors
+ - cephfilesystemmirrors
+ - cephfilesystemsubvolumegroups
+ - cephblockpoolradosnamespaces
verbs:
- - "*"
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - delete
- apiGroups:
- apps
resources:
@@ -1292,12 +1275,6 @@
name: cephfs-external-provisioner-cfg
namespace: default # namespace:operator
rules:
- - apiGroups: [""]
- resources: ["endpoints"]
- verbs: ["get", "watch", "list", "delete", "update", "create"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list", "create", "delete"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
@@ -1309,12 +1286,6 @@
name: rbd-external-provisioner-cfg
namespace: default # namespace:operator
rules:
- - apiGroups: [""]
- resources: ["endpoints"]
- verbs: ["get", "watch", "list", "delete", "update", "create"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list", "watch", "create", "delete", "update"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
@@ -1635,7 +1606,7 @@
spec:
containers:
- name: rook-ceph-operator
- image: "rook/ceph:v1.9.7"
+ image: "rook/ceph:v1.10.2"
imagePullPolicy: IfNotPresent
args: ["ceph", "operator"]
securityContext:
@@ -1649,6 +1620,10 @@
name: default-config-dir
- mountPath: /etc/webhook
name: webhook-cert
+ ports:
+ - containerPort: 9443
+ name: https-webhook
+ protocol: TCP
env:
- name: ROOK_CURRENT_NAMESPACE_ONLY
value: "false" |
renovate
bot
force-pushed
the
renovate/rook-ceph-suite
branch
from
f027268 to
1f5aebd
Compare
|
Path: @@ -197,9 +197,29 @@
- apiGroups:
- ceph.rook.io
resources:
- - "*"
+ - cephclients
+ - cephclusters
+ - cephblockpools
+ - cephfilesystems
+ - cephnfses
+ - cephobjectstores
+ - cephobjectstoreusers
+ - cephobjectrealms
+ - cephobjectzonegroups
+ - cephobjectzones
+ - cephbuckettopics
+ - cephbucketnotifications
+ - cephrbdmirrors
+ - cephfilesystemmirrors
+ - cephfilesystemsubvolumegroups
+ - cephblockpoolradosnamespaces
verbs:
- - "*"
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - delete
- apiGroups:
- apps
resources:
@@ -557,7 +577,7 @@
enabled: true
cephVersion:
allowUnsupported: false
- image: quay.io/ceph/ceph:v16.2.9
+ image: quay.io/ceph/ceph:v17.2.3
cleanupPolicy:
allowUninstallWithVolumes: false
confirmation: ""
@@ -662,9 +682,6 @@
cpu: 1000m
memory: 4Gi
prepareosd:
- limits:
- cpu: 500m
- memory: 400Mi
requests:
cpu: 500m
memory: 50Mi |
|
Path: @@ -225,19 +225,21 @@
ROOK_CSI_ENABLE_RBD: "true"
ROOK_CSI_ENABLE_CEPHFS: "false"
CSI_ENABLE_CEPHFS_SNAPSHOTTER: "false"
+ CSI_ENABLE_NFS_SNAPSHOTTER: "true"
CSI_ENABLE_RBD_SNAPSHOTTER: "true"
CSI_PLUGIN_ENABLE_SELINUX_HOST_MOUNT: "false"
CSI_ENABLE_ENCRYPTION: "false"
CSI_ENABLE_OMAP_GENERATOR: "false"
CSI_ENABLE_HOST_NETWORK: "true"
+ CSI_ENABLE_METADATA: "false"
CSI_PLUGIN_PRIORITY_CLASSNAME: "system-node-critical"
CSI_PROVISIONER_PRIORITY_CLASSNAME: "system-cluster-critical"
- CSI_RBD_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
- CSI_CEPHFS_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
- CSI_NFS_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
+ CSI_RBD_FSGROUPPOLICY: "File"
+ CSI_CEPHFS_FSGROUPPOLICY: "File"
+ CSI_NFS_FSGROUPPOLICY: "File"
ROOK_CSI_ENABLE_GRPC_METRICS: "false"
- CSI_ENABLE_VOLUME_REPLICATION: "false"
CSI_ENABLE_CSIADDONS: "false"
+ CSI_ENABLE_TOPOLOGY: "false"
ROOK_CSI_ENABLE_NFS: "false"
CSI_FORCE_CEPHFS_KERNEL_CLIENT: "true"
CSI_GRPC_TIMEOUT_SECONDS: "150"
@@ -644,6 +646,8 @@
- list
---
# Source: rook-ceph/templates/clusterrole.yaml
+# TODO: remove this, once https://github.com/rook/rook/issues/10141
+# is resolved.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
@@ -651,19 +655,7 @@
rules:
- apiGroups: [""]
resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["namespaces"]
- verbs: ["get", "list"]
- - apiGroups: [""]
- resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: ["storage.k8s.io"]
- resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list"]
+ verbs: ["get"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -676,10 +668,10 @@
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
+ verbs: ["get", "list", "watch", "create", "delete", "patch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
@@ -688,30 +680,24 @@
verbs: ["list", "watch", "create", "update", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update", "patch"]
+ verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments/status"]
verbs: ["patch"]
- apiGroups: [""]
- resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
resources: ["persistentvolumeclaims/status"]
- verbs: ["update", "patch"]
+ verbs: ["patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
- verbs: ["get", "list", "watch", "update", "patch"]
- - apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents"]
- verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
+ verbs: ["get", "list"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents/status"]
- verbs: ["update", "patch"]
+ resources: ["volumesnapshotcontents"]
+ verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshots/status"]
+ resources: ["volumesnapshotcontents/status"]
verbs: ["update", "patch"]
---
# Source: rook-ceph/templates/clusterrole.yaml
@@ -730,26 +716,23 @@
resources: ["secrets"]
verbs: ["get", "list"]
- apiGroups: [""]
- resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["namespaces"]
- verbs: ["get", "list"]
- - apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list"]
- apiGroups: [""]
resources: ["configmaps"]
- verbs: ["get", "list"]
+ verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
+ - apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -762,13 +745,19 @@
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
+ verbs: ["get", "list", "watch", "create", "delete", "patch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["storage.k8s.io"]
+ resources: ["storageclasses"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["list", "watch", "create", "update", "patch"]
+ - apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update", "patch"]
+ verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments/status"]
verbs: ["patch"]
@@ -776,50 +765,38 @@
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["storage.k8s.io"]
- resources: ["storageclasses"]
+ resources: ["csinodes"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
- resources: ["events"]
- verbs: ["list", "watch", "create", "update", "patch"]
+ resources: ["persistentvolumeclaims/status"]
+ verbs: ["patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
- verbs: ["get", "list", "watch", "update", "patch"]
- - apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents"]
- verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
+ verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents/status"]
- verbs: ["update", "patch"]
+ resources: ["volumesnapshotcontents"]
+ verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshots/status"]
- verbs: ["update", "patch"]
- - apiGroups: [""]
- resources: ["persistentvolumeclaims/status"]
+ resources: ["volumesnapshotcontents/status"]
verbs: ["update", "patch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications", "volumereplicationclasses"]
- verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications/finalizers"]
- verbs: ["update"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications/status"]
- verbs: ["get", "patch", "update"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplicationclasses/status"]
- verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
+ - apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get", "list", watch"]
+ - apiGroups: ["storage.k8s.io"]
+ resources: ["csinodes"]
+ verbs: ["get", "list", "watch"]
---
# Source: rook-ceph/templates/psp.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -946,20 +923,6 @@
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
- name: cephfs-csi-nodeplugin
-subjects:
- - kind: ServiceAccount
- name: rook-csi-cephfs-plugin-sa
- namespace: default # namespace:operator
-roleRef:
- kind: ClusterRole
- name: cephfs-csi-nodeplugin
- apiGroup: rbac.authorization.k8s.io
----
-# Source: rook-ceph/templates/clusterrolebinding.yaml
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
name: cephfs-csi-provisioner-role
subjects:
- kind: ServiceAccount
@@ -1131,9 +1094,29 @@
- apiGroups:
- ceph.rook.io
resources:
- - "*"
+ - cephclients
+ - cephclusters
+ - cephblockpools
+ - cephfilesystems
+ - cephnfses
+ - cephobjectstores
+ - cephobjectstoreusers
+ - cephobjectrealms
+ - cephobjectzonegroups
+ - cephobjectzones
+ - cephbuckettopics
+ - cephbucketnotifications
+ - cephrbdmirrors
+ - cephfilesystemmirrors
+ - cephfilesystemsubvolumegroups
+ - cephblockpoolradosnamespaces
verbs:
- - "*"
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - delete
- apiGroups:
- apps
resources:
@@ -1292,12 +1275,6 @@
name: cephfs-external-provisioner-cfg
namespace: default # namespace:operator
rules:
- - apiGroups: [""]
- resources: ["endpoints"]
- verbs: ["get", "watch", "list", "delete", "update", "create"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list", "create", "delete"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
@@ -1309,12 +1286,6 @@
name: rbd-external-provisioner-cfg
namespace: default # namespace:operator
rules:
- - apiGroups: [""]
- resources: ["endpoints"]
- verbs: ["get", "watch", "list", "delete", "update", "create"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list", "watch", "create", "delete", "update"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
@@ -1635,7 +1606,7 @@
spec:
containers:
- name: rook-ceph-operator
- image: "rook/ceph:v1.9.7"
+ image: "rook/ceph:v1.10.3"
imagePullPolicy: IfNotPresent
args: ["ceph", "operator"]
securityContext:
@@ -1649,6 +1620,10 @@
name: default-config-dir
- mountPath: /etc/webhook
name: webhook-cert
+ ports:
+ - containerPort: 9443
+ name: https-webhook
+ protocol: TCP
env:
- name: ROOK_CURRENT_NAMESPACE_ONLY
value: "false" |
renovate
bot
force-pushed
the
renovate/rook-ceph-suite
branch
from
1f5aebd to
0c1589a
Compare
|
Path: @@ -225,19 +225,21 @@
ROOK_CSI_ENABLE_RBD: "true"
ROOK_CSI_ENABLE_CEPHFS: "false"
CSI_ENABLE_CEPHFS_SNAPSHOTTER: "false"
+ CSI_ENABLE_NFS_SNAPSHOTTER: "true"
CSI_ENABLE_RBD_SNAPSHOTTER: "true"
CSI_PLUGIN_ENABLE_SELINUX_HOST_MOUNT: "false"
CSI_ENABLE_ENCRYPTION: "false"
CSI_ENABLE_OMAP_GENERATOR: "false"
CSI_ENABLE_HOST_NETWORK: "true"
+ CSI_ENABLE_METADATA: "false"
CSI_PLUGIN_PRIORITY_CLASSNAME: "system-node-critical"
CSI_PROVISIONER_PRIORITY_CLASSNAME: "system-cluster-critical"
- CSI_RBD_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
- CSI_CEPHFS_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
- CSI_NFS_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
+ CSI_RBD_FSGROUPPOLICY: "File"
+ CSI_CEPHFS_FSGROUPPOLICY: "File"
+ CSI_NFS_FSGROUPPOLICY: "File"
ROOK_CSI_ENABLE_GRPC_METRICS: "false"
- CSI_ENABLE_VOLUME_REPLICATION: "false"
CSI_ENABLE_CSIADDONS: "false"
+ CSI_ENABLE_TOPOLOGY: "false"
ROOK_CSI_ENABLE_NFS: "false"
CSI_FORCE_CEPHFS_KERNEL_CLIENT: "true"
CSI_GRPC_TIMEOUT_SECONDS: "150"
@@ -644,6 +646,8 @@
- list
---
# Source: rook-ceph/templates/clusterrole.yaml
+# TODO: remove this, once https://github.com/rook/rook/issues/10141
+# is resolved.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
@@ -651,19 +655,7 @@
rules:
- apiGroups: [""]
resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["namespaces"]
- verbs: ["get", "list"]
- - apiGroups: [""]
- resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: ["storage.k8s.io"]
- resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list"]
+ verbs: ["get"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -676,10 +668,10 @@
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
+ verbs: ["get", "list", "watch", "create", "delete", "patch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
@@ -688,30 +680,24 @@
verbs: ["list", "watch", "create", "update", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update", "patch"]
+ verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments/status"]
verbs: ["patch"]
- apiGroups: [""]
- resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
resources: ["persistentvolumeclaims/status"]
- verbs: ["update", "patch"]
+ verbs: ["patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
- verbs: ["get", "list", "watch", "update", "patch"]
- - apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents"]
- verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
+ verbs: ["get", "list"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents/status"]
- verbs: ["update", "patch"]
+ resources: ["volumesnapshotcontents"]
+ verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshots/status"]
+ resources: ["volumesnapshotcontents/status"]
verbs: ["update", "patch"]
---
# Source: rook-ceph/templates/clusterrole.yaml
@@ -730,26 +716,23 @@
resources: ["secrets"]
verbs: ["get", "list"]
- apiGroups: [""]
- resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["namespaces"]
- verbs: ["get", "list"]
- - apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list"]
- apiGroups: [""]
resources: ["configmaps"]
- verbs: ["get", "list"]
+ verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
+ - apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -762,13 +745,19 @@
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
+ verbs: ["get", "list", "watch", "create", "delete", "patch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["storage.k8s.io"]
+ resources: ["storageclasses"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["list", "watch", "create", "update", "patch"]
+ - apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update", "patch"]
+ verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments/status"]
verbs: ["patch"]
@@ -776,50 +765,38 @@
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["storage.k8s.io"]
- resources: ["storageclasses"]
+ resources: ["csinodes"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
- resources: ["events"]
- verbs: ["list", "watch", "create", "update", "patch"]
+ resources: ["persistentvolumeclaims/status"]
+ verbs: ["patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
- verbs: ["get", "list", "watch", "update", "patch"]
- - apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents"]
- verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
+ verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents/status"]
- verbs: ["update", "patch"]
+ resources: ["volumesnapshotcontents"]
+ verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshots/status"]
- verbs: ["update", "patch"]
- - apiGroups: [""]
- resources: ["persistentvolumeclaims/status"]
+ resources: ["volumesnapshotcontents/status"]
verbs: ["update", "patch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications", "volumereplicationclasses"]
- verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications/finalizers"]
- verbs: ["update"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications/status"]
- verbs: ["get", "patch", "update"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplicationclasses/status"]
- verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
+ - apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get", "list", watch"]
+ - apiGroups: ["storage.k8s.io"]
+ resources: ["csinodes"]
+ verbs: ["get", "list", "watch"]
---
# Source: rook-ceph/templates/psp.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -946,20 +923,6 @@
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
- name: cephfs-csi-nodeplugin
-subjects:
- - kind: ServiceAccount
- name: rook-csi-cephfs-plugin-sa
- namespace: default # namespace:operator
-roleRef:
- kind: ClusterRole
- name: cephfs-csi-nodeplugin
- apiGroup: rbac.authorization.k8s.io
----
-# Source: rook-ceph/templates/clusterrolebinding.yaml
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
name: cephfs-csi-provisioner-role
subjects:
- kind: ServiceAccount
@@ -1131,9 +1094,29 @@
- apiGroups:
- ceph.rook.io
resources:
- - "*"
+ - cephclients
+ - cephclusters
+ - cephblockpools
+ - cephfilesystems
+ - cephnfses
+ - cephobjectstores
+ - cephobjectstoreusers
+ - cephobjectrealms
+ - cephobjectzonegroups
+ - cephobjectzones
+ - cephbuckettopics
+ - cephbucketnotifications
+ - cephrbdmirrors
+ - cephfilesystemmirrors
+ - cephfilesystemsubvolumegroups
+ - cephblockpoolradosnamespaces
verbs:
- - "*"
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - delete
- apiGroups:
- apps
resources:
@@ -1292,12 +1275,6 @@
name: cephfs-external-provisioner-cfg
namespace: default # namespace:operator
rules:
- - apiGroups: [""]
- resources: ["endpoints"]
- verbs: ["get", "watch", "list", "delete", "update", "create"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list", "create", "delete"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
@@ -1309,12 +1286,6 @@
name: rbd-external-provisioner-cfg
namespace: default # namespace:operator
rules:
- - apiGroups: [""]
- resources: ["endpoints"]
- verbs: ["get", "watch", "list", "delete", "update", "create"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list", "watch", "create", "delete", "update"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
@@ -1635,7 +1606,7 @@
spec:
containers:
- name: rook-ceph-operator
- image: "rook/ceph:v1.9.7"
+ image: "rook/ceph:v1.10.4"
imagePullPolicy: IfNotPresent
args: ["ceph", "operator"]
securityContext:
@@ -1649,13 +1620,15 @@
name: default-config-dir
- mountPath: /etc/webhook
name: webhook-cert
+ ports:
+ - containerPort: 9443
+ name: https-webhook
+ protocol: TCP
env:
- name: ROOK_CURRENT_NAMESPACE_ONLY
value: "false"
- name: ROOK_HOSTPATH_REQUIRES_PRIVILEGED
value: "false"
- - name: ROOK_ENABLE_SELINUX_RELABELING
- value: "true"
- name: ROOK_DISABLE_DEVICE_HOTPLUG
value: "false"
- name: ROOK_ENABLE_DISCOVERY_DAEMON |
|
Path: @@ -197,9 +197,29 @@
- apiGroups:
- ceph.rook.io
resources:
- - "*"
+ - cephclients
+ - cephclusters
+ - cephblockpools
+ - cephfilesystems
+ - cephnfses
+ - cephobjectstores
+ - cephobjectstoreusers
+ - cephobjectrealms
+ - cephobjectzonegroups
+ - cephobjectzones
+ - cephbuckettopics
+ - cephbucketnotifications
+ - cephrbdmirrors
+ - cephfilesystemmirrors
+ - cephfilesystemsubvolumegroups
+ - cephblockpoolradosnamespaces
verbs:
- - "*"
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - delete
- apiGroups:
- apps
resources:
@@ -557,7 +577,7 @@
enabled: true
cephVersion:
allowUnsupported: false
- image: quay.io/ceph/ceph:v16.2.9
+ image: quay.io/ceph/ceph:v17.2.3
cleanupPolicy:
allowUninstallWithVolumes: false
confirmation: ""
@@ -597,6 +617,10 @@
disabled: false
osd:
disabled: false
+ logCollector:
+ enabled: true
+ maxLogSize: 500M
+ periodicity: daily
mgr:
allowMultiplePerNode: false
count: 2
@@ -662,9 +686,6 @@
cpu: 1000m
memory: 4Gi
prepareosd:
- limits:
- cpu: 500m
- memory: 400Mi
requests:
cpu: 500m
memory: 50Mi |
renovate
bot
force-pushed
the
renovate/rook-ceph-suite
branch
from
0c1589a to
360cb60
Compare
|
Path: @@ -197,9 +197,29 @@
- apiGroups:
- ceph.rook.io
resources:
- - "*"
+ - cephclients
+ - cephclusters
+ - cephblockpools
+ - cephfilesystems
+ - cephnfses
+ - cephobjectstores
+ - cephobjectstoreusers
+ - cephobjectrealms
+ - cephobjectzonegroups
+ - cephobjectzones
+ - cephbuckettopics
+ - cephbucketnotifications
+ - cephrbdmirrors
+ - cephfilesystemmirrors
+ - cephfilesystemsubvolumegroups
+ - cephblockpoolradosnamespaces
verbs:
- - "*"
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - delete
- apiGroups:
- apps
resources:
@@ -557,7 +577,7 @@
enabled: true
cephVersion:
allowUnsupported: false
- image: quay.io/ceph/ceph:v16.2.9
+ image: quay.io/ceph/ceph:v17.2.5
cleanupPolicy:
allowUninstallWithVolumes: false
confirmation: ""
@@ -597,6 +617,10 @@
disabled: false
osd:
disabled: false
+ logCollector:
+ enabled: true
+ maxLogSize: 500M
+ periodicity: daily
mgr:
allowMultiplePerNode: false
count: 2
@@ -662,9 +686,6 @@
cpu: 1000m
memory: 4Gi
prepareosd:
- limits:
- cpu: 500m
- memory: 400Mi
requests:
cpu: 500m
memory: 50Mi |
|
Path: @@ -225,19 +225,21 @@
ROOK_CSI_ENABLE_RBD: "true"
ROOK_CSI_ENABLE_CEPHFS: "false"
CSI_ENABLE_CEPHFS_SNAPSHOTTER: "false"
+ CSI_ENABLE_NFS_SNAPSHOTTER: "true"
CSI_ENABLE_RBD_SNAPSHOTTER: "true"
CSI_PLUGIN_ENABLE_SELINUX_HOST_MOUNT: "false"
CSI_ENABLE_ENCRYPTION: "false"
CSI_ENABLE_OMAP_GENERATOR: "false"
CSI_ENABLE_HOST_NETWORK: "true"
+ CSI_ENABLE_METADATA: "false"
CSI_PLUGIN_PRIORITY_CLASSNAME: "system-node-critical"
CSI_PROVISIONER_PRIORITY_CLASSNAME: "system-cluster-critical"
- CSI_RBD_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
- CSI_CEPHFS_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
- CSI_NFS_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
+ CSI_RBD_FSGROUPPOLICY: "File"
+ CSI_CEPHFS_FSGROUPPOLICY: "File"
+ CSI_NFS_FSGROUPPOLICY: "File"
ROOK_CSI_ENABLE_GRPC_METRICS: "false"
- CSI_ENABLE_VOLUME_REPLICATION: "false"
CSI_ENABLE_CSIADDONS: "false"
+ CSI_ENABLE_TOPOLOGY: "false"
ROOK_CSI_ENABLE_NFS: "false"
CSI_FORCE_CEPHFS_KERNEL_CLIENT: "true"
CSI_GRPC_TIMEOUT_SECONDS: "150"
@@ -644,6 +646,8 @@
- list
---
# Source: rook-ceph/templates/clusterrole.yaml
+# TODO: remove this, once https://github.com/rook/rook/issues/10141
+# is resolved.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
@@ -651,19 +655,7 @@
rules:
- apiGroups: [""]
resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["namespaces"]
- verbs: ["get", "list"]
- - apiGroups: [""]
- resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: ["storage.k8s.io"]
- resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list"]
+ verbs: ["get"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -676,10 +668,10 @@
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
+ verbs: ["get", "list", "watch", "create", "delete", "patch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
@@ -688,30 +680,24 @@
verbs: ["list", "watch", "create", "update", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update", "patch"]
+ verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments/status"]
verbs: ["patch"]
- apiGroups: [""]
- resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
resources: ["persistentvolumeclaims/status"]
- verbs: ["update", "patch"]
+ verbs: ["patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
- verbs: ["get", "list", "watch", "update", "patch"]
- - apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents"]
- verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
+ verbs: ["get", "list"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents/status"]
- verbs: ["update", "patch"]
+ resources: ["volumesnapshotcontents"]
+ verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshots/status"]
+ resources: ["volumesnapshotcontents/status"]
verbs: ["update", "patch"]
---
# Source: rook-ceph/templates/clusterrole.yaml
@@ -730,26 +716,23 @@
resources: ["secrets"]
verbs: ["get", "list"]
- apiGroups: [""]
- resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["namespaces"]
- verbs: ["get", "list"]
- - apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list"]
- apiGroups: [""]
resources: ["configmaps"]
- verbs: ["get", "list"]
+ verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
+ - apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -762,13 +745,19 @@
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
+ verbs: ["get", "list", "watch", "create", "delete", "patch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["storage.k8s.io"]
+ resources: ["storageclasses"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["list", "watch", "create", "update", "patch"]
+ - apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update", "patch"]
+ verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments/status"]
verbs: ["patch"]
@@ -776,50 +765,38 @@
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["storage.k8s.io"]
- resources: ["storageclasses"]
+ resources: ["csinodes"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
- resources: ["events"]
- verbs: ["list", "watch", "create", "update", "patch"]
+ resources: ["persistentvolumeclaims/status"]
+ verbs: ["patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
- verbs: ["get", "list", "watch", "update", "patch"]
- - apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents"]
- verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
+ verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents/status"]
- verbs: ["update", "patch"]
+ resources: ["volumesnapshotcontents"]
+ verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshots/status"]
- verbs: ["update", "patch"]
- - apiGroups: [""]
- resources: ["persistentvolumeclaims/status"]
+ resources: ["volumesnapshotcontents/status"]
verbs: ["update", "patch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications", "volumereplicationclasses"]
- verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications/finalizers"]
- verbs: ["update"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications/status"]
- verbs: ["get", "patch", "update"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplicationclasses/status"]
- verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
+ - apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get", "list", watch"]
+ - apiGroups: ["storage.k8s.io"]
+ resources: ["csinodes"]
+ verbs: ["get", "list", "watch"]
---
# Source: rook-ceph/templates/psp.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -946,20 +923,6 @@
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
- name: cephfs-csi-nodeplugin
-subjects:
- - kind: ServiceAccount
- name: rook-csi-cephfs-plugin-sa
- namespace: default # namespace:operator
-roleRef:
- kind: ClusterRole
- name: cephfs-csi-nodeplugin
- apiGroup: rbac.authorization.k8s.io
----
-# Source: rook-ceph/templates/clusterrolebinding.yaml
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
name: cephfs-csi-provisioner-role
subjects:
- kind: ServiceAccount
@@ -1131,9 +1094,29 @@
- apiGroups:
- ceph.rook.io
resources:
- - "*"
+ - cephclients
+ - cephclusters
+ - cephblockpools
+ - cephfilesystems
+ - cephnfses
+ - cephobjectstores
+ - cephobjectstoreusers
+ - cephobjectrealms
+ - cephobjectzonegroups
+ - cephobjectzones
+ - cephbuckettopics
+ - cephbucketnotifications
+ - cephrbdmirrors
+ - cephfilesystemmirrors
+ - cephfilesystemsubvolumegroups
+ - cephblockpoolradosnamespaces
verbs:
- - "*"
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - delete
- apiGroups:
- apps
resources:
@@ -1292,12 +1275,6 @@
name: cephfs-external-provisioner-cfg
namespace: default # namespace:operator
rules:
- - apiGroups: [""]
- resources: ["endpoints"]
- verbs: ["get", "watch", "list", "delete", "update", "create"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list", "create", "delete"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
@@ -1309,12 +1286,6 @@
name: rbd-external-provisioner-cfg
namespace: default # namespace:operator
rules:
- - apiGroups: [""]
- resources: ["endpoints"]
- verbs: ["get", "watch", "list", "delete", "update", "create"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list", "watch", "create", "delete", "update"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
@@ -1635,7 +1606,7 @@
spec:
containers:
- name: rook-ceph-operator
- image: "rook/ceph:v1.9.7"
+ image: "rook/ceph:v1.10.5"
imagePullPolicy: IfNotPresent
args: ["ceph", "operator"]
securityContext:
@@ -1649,13 +1620,15 @@
name: default-config-dir
- mountPath: /etc/webhook
name: webhook-cert
+ ports:
+ - containerPort: 9443
+ name: https-webhook
+ protocol: TCP
env:
- name: ROOK_CURRENT_NAMESPACE_ONLY
value: "false"
- name: ROOK_HOSTPATH_REQUIRES_PRIVILEGED
value: "false"
- - name: ROOK_ENABLE_SELINUX_RELABELING
- value: "true"
- name: ROOK_DISABLE_DEVICE_HOTPLUG
value: "false"
- name: ROOK_ENABLE_DISCOVERY_DAEMON |
renovate
bot
force-pushed
the
renovate/rook-ceph-suite
branch
from
360cb60 to
9eb98b6
Compare
|
Path: @@ -197,9 +197,29 @@
- apiGroups:
- ceph.rook.io
resources:
- - "*"
+ - cephclients
+ - cephclusters
+ - cephblockpools
+ - cephfilesystems
+ - cephnfses
+ - cephobjectstores
+ - cephobjectstoreusers
+ - cephobjectrealms
+ - cephobjectzonegroups
+ - cephobjectzones
+ - cephbuckettopics
+ - cephbucketnotifications
+ - cephrbdmirrors
+ - cephfilesystemmirrors
+ - cephfilesystemsubvolumegroups
+ - cephblockpoolradosnamespaces
verbs:
- - "*"
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - delete
- apiGroups:
- apps
resources:
@@ -557,7 +577,7 @@
enabled: true
cephVersion:
allowUnsupported: false
- image: quay.io/ceph/ceph:v16.2.9
+ image: quay.io/ceph/ceph:v17.2.5
cleanupPolicy:
allowUninstallWithVolumes: false
confirmation: ""
@@ -597,6 +617,10 @@
disabled: false
osd:
disabled: false
+ logCollector:
+ enabled: true
+ maxLogSize: 500M
+ periodicity: daily
mgr:
allowMultiplePerNode: false
count: 2
@@ -662,9 +686,6 @@
cpu: 1000m
memory: 4Gi
prepareosd:
- limits:
- cpu: 500m
- memory: 400Mi
requests:
cpu: 500m
memory: 50Mi |
|
Path: @@ -222,22 +222,25 @@
ROOK_LOG_LEVEL: "INFO"
ROOK_CEPH_COMMANDS_TIMEOUT_SECONDS: "15"
ROOK_OBC_WATCH_OPERATOR_NAMESPACE: "true"
+ ROOK_CEPH_ALLOW_LOOP_DEVICES: "false"
ROOK_CSI_ENABLE_RBD: "true"
ROOK_CSI_ENABLE_CEPHFS: "false"
CSI_ENABLE_CEPHFS_SNAPSHOTTER: "false"
+ CSI_ENABLE_NFS_SNAPSHOTTER: "true"
CSI_ENABLE_RBD_SNAPSHOTTER: "true"
CSI_PLUGIN_ENABLE_SELINUX_HOST_MOUNT: "false"
CSI_ENABLE_ENCRYPTION: "false"
CSI_ENABLE_OMAP_GENERATOR: "false"
CSI_ENABLE_HOST_NETWORK: "true"
+ CSI_ENABLE_METADATA: "false"
CSI_PLUGIN_PRIORITY_CLASSNAME: "system-node-critical"
CSI_PROVISIONER_PRIORITY_CLASSNAME: "system-cluster-critical"
- CSI_RBD_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
- CSI_CEPHFS_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
- CSI_NFS_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
+ CSI_RBD_FSGROUPPOLICY: "File"
+ CSI_CEPHFS_FSGROUPPOLICY: "File"
+ CSI_NFS_FSGROUPPOLICY: "File"
ROOK_CSI_ENABLE_GRPC_METRICS: "false"
- CSI_ENABLE_VOLUME_REPLICATION: "false"
CSI_ENABLE_CSIADDONS: "false"
+ CSI_ENABLE_TOPOLOGY: "false"
ROOK_CSI_ENABLE_NFS: "false"
CSI_FORCE_CEPHFS_KERNEL_CLIENT: "true"
CSI_GRPC_TIMEOUT_SECONDS: "150"
@@ -644,6 +647,8 @@
- list
---
# Source: rook-ceph/templates/clusterrole.yaml
+# TODO: remove this, once https://github.com/rook/rook/issues/10141
+# is resolved.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
@@ -651,19 +656,7 @@
rules:
- apiGroups: [""]
resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["namespaces"]
- verbs: ["get", "list"]
- - apiGroups: [""]
- resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: ["storage.k8s.io"]
- resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list"]
+ verbs: ["get"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -676,10 +669,10 @@
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
+ verbs: ["get", "list", "watch", "create", "delete", "patch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
@@ -688,30 +681,24 @@
verbs: ["list", "watch", "create", "update", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update", "patch"]
+ verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments/status"]
verbs: ["patch"]
- apiGroups: [""]
- resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
resources: ["persistentvolumeclaims/status"]
- verbs: ["update", "patch"]
+ verbs: ["patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
- verbs: ["get", "list", "watch", "update", "patch"]
- - apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents"]
- verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
+ verbs: ["get", "list"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents/status"]
- verbs: ["update", "patch"]
+ resources: ["volumesnapshotcontents"]
+ verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshots/status"]
+ resources: ["volumesnapshotcontents/status"]
verbs: ["update", "patch"]
---
# Source: rook-ceph/templates/clusterrole.yaml
@@ -730,26 +717,23 @@
resources: ["secrets"]
verbs: ["get", "list"]
- apiGroups: [""]
- resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["namespaces"]
- verbs: ["get", "list"]
- - apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list"]
- apiGroups: [""]
resources: ["configmaps"]
- verbs: ["get", "list"]
+ verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
+ - apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -762,13 +746,19 @@
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
+ verbs: ["get", "list", "watch", "create", "delete", "patch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["storage.k8s.io"]
+ resources: ["storageclasses"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["list", "watch", "create", "update", "patch"]
+ - apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update", "patch"]
+ verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments/status"]
verbs: ["patch"]
@@ -776,50 +766,38 @@
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["storage.k8s.io"]
- resources: ["storageclasses"]
+ resources: ["csinodes"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
- resources: ["events"]
- verbs: ["list", "watch", "create", "update", "patch"]
+ resources: ["persistentvolumeclaims/status"]
+ verbs: ["patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
- verbs: ["get", "list", "watch", "update", "patch"]
- - apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents"]
- verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
+ verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents/status"]
- verbs: ["update", "patch"]
+ resources: ["volumesnapshotcontents"]
+ verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshots/status"]
- verbs: ["update", "patch"]
- - apiGroups: [""]
- resources: ["persistentvolumeclaims/status"]
+ resources: ["volumesnapshotcontents/status"]
verbs: ["update", "patch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications", "volumereplicationclasses"]
- verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications/finalizers"]
- verbs: ["update"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications/status"]
- verbs: ["get", "patch", "update"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplicationclasses/status"]
- verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
+ - apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get", "list", watch"]
+ - apiGroups: ["storage.k8s.io"]
+ resources: ["csinodes"]
+ verbs: ["get", "list", "watch"]
---
# Source: rook-ceph/templates/psp.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -946,20 +924,6 @@
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
- name: cephfs-csi-nodeplugin
-subjects:
- - kind: ServiceAccount
- name: rook-csi-cephfs-plugin-sa
- namespace: default # namespace:operator
-roleRef:
- kind: ClusterRole
- name: cephfs-csi-nodeplugin
- apiGroup: rbac.authorization.k8s.io
----
-# Source: rook-ceph/templates/clusterrolebinding.yaml
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
name: cephfs-csi-provisioner-role
subjects:
- kind: ServiceAccount
@@ -1131,9 +1095,29 @@
- apiGroups:
- ceph.rook.io
resources:
- - "*"
+ - cephclients
+ - cephclusters
+ - cephblockpools
+ - cephfilesystems
+ - cephnfses
+ - cephobjectstores
+ - cephobjectstoreusers
+ - cephobjectrealms
+ - cephobjectzonegroups
+ - cephobjectzones
+ - cephbuckettopics
+ - cephbucketnotifications
+ - cephrbdmirrors
+ - cephfilesystemmirrors
+ - cephfilesystemsubvolumegroups
+ - cephblockpoolradosnamespaces
verbs:
- - "*"
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - delete
- apiGroups:
- apps
resources:
@@ -1292,12 +1276,6 @@
name: cephfs-external-provisioner-cfg
namespace: default # namespace:operator
rules:
- - apiGroups: [""]
- resources: ["endpoints"]
- verbs: ["get", "watch", "list", "delete", "update", "create"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list", "create", "delete"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
@@ -1309,12 +1287,6 @@
name: rbd-external-provisioner-cfg
namespace: default # namespace:operator
rules:
- - apiGroups: [""]
- resources: ["endpoints"]
- verbs: ["get", "watch", "list", "delete", "update", "create"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list", "watch", "create", "delete", "update"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
@@ -1635,7 +1607,7 @@
spec:
containers:
- name: rook-ceph-operator
- image: "rook/ceph:v1.9.7"
+ image: "rook/ceph:v1.10.6"
imagePullPolicy: IfNotPresent
args: ["ceph", "operator"]
securityContext:
@@ -1649,15 +1621,19 @@
name: default-config-dir
- mountPath: /etc/webhook
name: webhook-cert
+ ports:
+ - containerPort: 9443
+ name: https-webhook
+ protocol: TCP
env:
- name: ROOK_CURRENT_NAMESPACE_ONLY
value: "false"
- name: ROOK_HOSTPATH_REQUIRES_PRIVILEGED
value: "false"
- - name: ROOK_ENABLE_SELINUX_RELABELING
- value: "true"
- name: ROOK_DISABLE_DEVICE_HOTPLUG
value: "false"
+ - name: DISCOVER_DAEMON_UDEV_BLACKLIST
+ value: ""
- name: ROOK_ENABLE_DISCOVERY_DAEMON
value: "false"
- name: ROOK_DISABLE_ADMISSION_CONTROLLER |
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. ⚠ Warning: custom changes will be lost. |
renovate
bot
force-pushed
the
renovate/rook-ceph-suite
branch
from
9eb98b6 to
6e6a72c
Compare
renovate
bot
force-pushed
the
renovate/rook-ceph-suite
branch
from
7c97c78 to
a7ed1df
Compare
|
Path: @@ -1,86 +1,4 @@
---
-# Source: rook-ceph/templates/psp.yaml
-# We expect most Kubernetes teams to follow the Kubernetes docs and have these PSPs.
-# LICENSE README.md Taskfile.yml assets charts cluster containers default docs hack provision privileged (for kube-system namespace)
-# LICENSE README.md Taskfile.yml assets charts cluster containers default docs hack provision restricted (for all logged in users)
-#
-# PSPs are applied based on the first match alphabetically. `rook-ceph-operator` comes after
-# `restricted` alphabetically, so we name this `00-rook-privileged`, so it stays somewhere
-# close to the top and so `rook-system` gets the intended PSP. This may need to be renamed in
-# environments with other `00`-prefixed PSPs.
-#
-# More on PSP ordering: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#policy-order
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
- name: 00-rook-privileged
- annotations:
- seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
- seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
-spec:
- privileged: true
- allowedCapabilities:
- # required by CSI
- - SYS_ADMIN
- - MKNOD
- fsGroup:
- rule: RunAsAny
- # runAsUser, supplementalGroups - Rook needs to run some pods as root
- # Ceph pods could be run as the Ceph user, but that user isn't always known ahead of time
- runAsUser:
- rule: RunAsAny
- supplementalGroups:
- rule: RunAsAny
- # seLinux - seLinux context is unknown ahead of time; set if this is well-known
- seLinux:
- rule: RunAsAny
- volumes:
- # recommended minimum set
- - configMap
- - downwardAPI
- - emptyDir
- - persistentVolumeClaim
- - secret
- - projected
- # required for Rook
- - hostPath
- # allowedHostPaths can be set to Rook's known host volume mount points when they are fully-known
- # allowedHostPaths:
- # - pathPrefix: "/run/udev" # for OSD prep
- # readOnly: false
- # - pathPrefix: "/dev" # for OSD prep
- # readOnly: false
- # - pathPrefix: "/var/lib/rook" # or whatever the dataDirHostPath value is set to
- # readOnly: false
- # Ceph requires host IPC for setting up encrypted devices
- hostIPC: true
- # Ceph OSDs need to share the same PID namespace
- hostPID: true
- # hostNetwork can be set to 'false' if host networking isn't used
- hostNetwork: true
- hostPorts:
- # Ceph messenger protocol v1
- - min: 6789
- max: 6790 # <- support old default port
- # Ceph messenger protocol v2
- - min: 3300
- max: 3300
- # Ceph RADOS ports for OSDs, MDSes
- - min: 6800
- max: 7300
- # # Ceph dashboard port HTTP (not recommended)
- # - min: 7000
- # max: 7000
- # Ceph dashboard port HTTPS
- - min: 8443
- max: 8443
- # Ceph mgr Prometheus Metrics
- - min: 9283
- max: 9283
- # port for CSIAddons
- - min: 9070
- max: 9070
----
# Source: rook-ceph/templates/cluster-rbac.yaml
# Service account for Ceph OSDs
apiVersion: v1
@@ -211,6 +129,20 @@
# imagePullSecrets:
# - name: my-registry-secret
---
+# Source: rook-ceph/templates/serviceaccount.yaml
+# Service account for Ceph COSI driver
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: objectstorage-provisioner
+ namespace: default # namespace:operator
+ labels:
+ app.kubernetes.io/part-of: container-object-storage-interface
+ app.kubernetes.io/component: driver-ceph
+ app.kubernetes.io/name: cosi-driver-ceph
+# imagePullSecrets:
+# - name: my-registry-secret
+---
# Source: rook-ceph/templates/configmap.yaml
# Operator settings that can be updated without an operator restart
# Operator settings that require an operator restart are found in the operator env vars
@@ -222,22 +154,30 @@
ROOK_LOG_LEVEL: "INFO"
ROOK_CEPH_COMMANDS_TIMEOUT_SECONDS: "15"
ROOK_OBC_WATCH_OPERATOR_NAMESPACE: "true"
+ ROOK_CEPH_ALLOW_LOOP_DEVICES: "false"
+ ROOK_DISABLE_ADMISSION_CONTROLLER: "true"
+ ROOK_ENABLE_DISCOVERY_DAEMON: "false"
ROOK_CSI_ENABLE_RBD: "true"
ROOK_CSI_ENABLE_CEPHFS: "false"
CSI_ENABLE_CEPHFS_SNAPSHOTTER: "false"
+ CSI_ENABLE_NFS_SNAPSHOTTER: "true"
CSI_ENABLE_RBD_SNAPSHOTTER: "true"
CSI_PLUGIN_ENABLE_SELINUX_HOST_MOUNT: "false"
CSI_ENABLE_ENCRYPTION: "false"
CSI_ENABLE_OMAP_GENERATOR: "false"
CSI_ENABLE_HOST_NETWORK: "true"
+ CSI_ENABLE_METADATA: "false"
CSI_PLUGIN_PRIORITY_CLASSNAME: "system-node-critical"
CSI_PROVISIONER_PRIORITY_CLASSNAME: "system-cluster-critical"
- CSI_RBD_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
- CSI_CEPHFS_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
- CSI_NFS_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
+ CSI_RBD_FSGROUPPOLICY: "File"
+ CSI_CEPHFS_FSGROUPPOLICY: "File"
+ CSI_NFS_FSGROUPPOLICY: "File"
ROOK_CSI_ENABLE_GRPC_METRICS: "false"
- CSI_ENABLE_VOLUME_REPLICATION: "false"
+ ROOK_CSI_IMAGE_PULL_POLICY: "IfNotPresent"
CSI_ENABLE_CSIADDONS: "false"
+ ROOK_CSIADDONS_IMAGE: "quay.io/csiaddons/k8s-sidecar:v0.7.0"
+ CSI_ENABLE_TOPOLOGY: "false"
+ CSI_ENABLE_READ_AFFINITY: "false"
ROOK_CSI_ENABLE_NFS: "false"
CSI_FORCE_CEPHFS_KERNEL_CLIENT: "true"
CSI_GRPC_TIMEOUT_SECONDS: "150"
@@ -246,8 +186,11 @@
CSI_RBD_PLUGIN_RESOURCE: "- name : driver-registrar\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n- name : csi-rbdplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n- name : liveness-prometheus\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n"
CSI_CEPHFS_PROVISIONER_RESOURCE: "- name : csi-provisioner\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-resizer\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-attacher\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-snapshotter\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-cephfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n- name : liveness-prometheus\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n"
CSI_CEPHFS_PLUGIN_RESOURCE: "- name : driver-registrar\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n- name : csi-cephfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n- name : liveness-prometheus\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n"
- CSI_NFS_PROVISIONER_RESOURCE: "- name : csi-provisioner\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-nfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n"
+ CSI_NFS_PROVISIONER_RESOURCE: "- name : csi-provisioner\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-nfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n- name : csi-attacher\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n"
CSI_NFS_PLUGIN_RESOURCE: "- name : driver-registrar\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n- name : csi-nfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n"
+ CSI_CEPHFS_ATTACH_REQUIRED: "true"
+ CSI_RBD_ATTACH_REQUIRED: "true"
+ CSI_NFS_ATTACH_REQUIRED: "true"
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -274,6 +217,12 @@
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["create", "get", "delete", "update"]
+ - apiGroups: ["csiaddons.openshift.io"]
+ resources: ["networkfences"]
+ verbs: ["create", "get", "update", "delete", "watch", "list"]
+ - apiGroups: ["apiextensions.k8s.io"]
+ resources: ["customresourcedefinitions"]
+ verbs: ["get"]
---
# Source: rook-ceph/templates/clusterrole.yaml
# The cluster role for managing all the cluster-specific resources in a namespace
@@ -380,6 +329,7 @@
- create
- update
- delete
+ - deletecollection
# The Rook operator must be able to watch all ceph.rook.io resources to reconcile them.
- apiGroups: ["ceph.rook.io"]
resources:
@@ -399,6 +349,7 @@
- cephfilesystemmirrors
- cephfilesystemsubvolumegroups
- cephblockpoolradosnamespaces
+ - cephcosidrivers
verbs:
- get
- list
@@ -467,6 +418,14 @@
- delete
- deletecollection
- apiGroups:
+ - apps
+ resources:
+ # This is to add osd deployment owner ref on key rotation
+ # cron jobs.
+ - deployments/finalizers
+ verbs:
+ - update
+ - apiGroups:
- healthchecking.openshift.io
resources:
- machinedisruptionbudgets
@@ -644,6 +603,8 @@
- list
---
# Source: rook-ceph/templates/clusterrole.yaml
+# TODO: remove this, once https://github.com/rook/rook/issues/10141
+# is resolved.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
@@ -651,19 +612,7 @@
rules:
- apiGroups: [""]
resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["namespaces"]
- verbs: ["get", "list"]
- - apiGroups: [""]
- resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: ["storage.k8s.io"]
- resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list"]
+ verbs: ["get"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -675,11 +624,14 @@
resources: ["secrets"]
verbs: ["get", "list"]
- apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
+ verbs: ["get", "list", "watch", "create", "delete", "patch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
@@ -688,30 +640,24 @@
verbs: ["list", "watch", "create", "update", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update", "patch"]
+ verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments/status"]
verbs: ["patch"]
- apiGroups: [""]
- resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
resources: ["persistentvolumeclaims/status"]
- verbs: ["update", "patch"]
+ verbs: ["patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
- verbs: ["get", "list", "watch", "update", "patch"]
- - apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents"]
- verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
+ verbs: ["get", "list"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents/status"]
- verbs: ["update", "patch"]
+ resources: ["volumesnapshotcontents"]
+ verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshots/status"]
+ resources: ["volumesnapshotcontents/status"]
verbs: ["update", "patch"]
---
# Source: rook-ceph/templates/clusterrole.yaml
@@ -730,26 +676,23 @@
resources: ["secrets"]
verbs: ["get", "list"]
- apiGroups: [""]
- resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["namespaces"]
- verbs: ["get", "list"]
- - apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list"]
- apiGroups: [""]
resources: ["configmaps"]
- verbs: ["get", "list"]
+ verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
+ - apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -762,13 +705,19 @@
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
+ verbs: ["get", "list", "watch", "create", "delete", "patch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["storage.k8s.io"]
+ resources: ["storageclasses"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["list", "watch", "create", "update", "patch"]
+ - apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update", "patch"]
+ verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments/status"]
verbs: ["patch"]
@@ -776,71 +725,58 @@
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["storage.k8s.io"]
- resources: ["storageclasses"]
+ resources: ["csinodes"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
- resources: ["events"]
- verbs: ["list", "watch", "create", "update", "patch"]
+ resources: ["persistentvolumeclaims/status"]
+ verbs: ["patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
- verbs: ["get", "list", "watch", "update", "patch"]
- - apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents"]
- verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
+ verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents/status"]
- verbs: ["update", "patch"]
+ resources: ["volumesnapshotcontents"]
+ verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshots/status"]
- verbs: ["update", "patch"]
- - apiGroups: [""]
- resources: ["persistentvolumeclaims/status"]
+ resources: ["volumesnapshotcontents/status"]
verbs: ["update", "patch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications", "volumereplicationclasses"]
- verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications/finalizers"]
- verbs: ["update"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications/status"]
- verbs: ["get", "patch", "update"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplicationclasses/status"]
- verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
+ - apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["storage.k8s.io"]
+ resources: ["csinodes"]
+ verbs: ["get", "list", "watch"]
---
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
+# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
metadata:
- name: 'psp:rook'
+ name: objectstorage-provisioner-role
labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/created-by: helm
-rules:
- - apiGroups:
- - policy
- resources:
- - podsecuritypolicies
- resourceNames:
- - 00-rook-privileged
- verbs:
- - use
+ app.kubernetes.io/part-of: container-object-storage-interface
+ app.kubernetes.io/component: driver-ceph
+ app.kubernetes.io/name: cosi-driver-ceph
+rules:
+ - apiGroups: ["objectstorage.k8s.io"]
+ resources: ["buckets", "bucketaccesses", "bucketclaims", "bucketaccessclasses", "buckets/status", "bucketaccesses/status", "bucketclaims/status", "bucketaccessclasses/status"]
+ verbs: ["get", "list", "watch", "update", "create", "delete"]
+ - apiGroups: ["coordination.k8s.io"]
+ resources: ["leases"]
+ verbs: ["get", "watch", "list", "delete", "update", "create"]
+ - apiGroups: [""]
+ resources: ["secrets", "events"]
+ verbs: ["get", "delete", "update", "create"]
---
# Source: rook-ceph/templates/cluster-rbac.yaml
# Allow the ceph mgr to access cluster-wide resources necessary for the mgr modules
@@ -946,28 +882,30 @@
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
- name: cephfs-csi-nodeplugin
+ name: cephfs-csi-provisioner-role
subjects:
- kind: ServiceAccount
- name: rook-csi-cephfs-plugin-sa
+ name: rook-csi-cephfs-provisioner-sa
namespace: default # namespace:operator
roleRef:
kind: ClusterRole
- name: cephfs-csi-nodeplugin
+ name: cephfs-external-provisioner-runner
apiGroup: rbac.authorization.k8s.io
---
# Source: rook-ceph/templates/clusterrolebinding.yaml
+# This is required by operator-sdk to map the cluster/clusterrolebindings with SA
+# otherwise operator-sdk will create a individual file for these.
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
- name: cephfs-csi-provisioner-role
+ name: cephfs-csi-nodeplugin-role
subjects:
- kind: ServiceAccount
- name: rook-csi-cephfs-provisioner-sa
+ name: rook-csi-cephfs-plugin-sa
namespace: default # namespace:operator
roleRef:
kind: ClusterRole
- name: cephfs-external-provisioner-runner
+ name: cephfs-csi-nodeplugin
apiGroup: rbac.authorization.k8s.io
---
# Source: rook-ceph/templates/clusterrolebinding.yaml
@@ -984,81 +922,24 @@
name: rbd-external-provisioner-runner
apiGroup: rbac.authorization.k8s.io
---
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-ceph-system-psp
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-system
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
+# Source: rook-ceph/templates/clusterrolebinding.yaml
+# RBAC for ceph cosi driver service account
kind: ClusterRoleBinding
-metadata:
- name: rook-csi-cephfs-provisioner-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-cephfs-provisioner-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
metadata:
- name: rook-csi-cephfs-plugin-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
+ name: objectstorage-provisioner-role-binding
+ labels:
+ app.kubernetes.io/part-of: container-object-storage-interface
+ app.kubernetes.io/component: driver-ceph
+ app.kubernetes.io/name: cosi-driver-ceph
subjects:
- kind: ServiceAccount
- name: rook-csi-cephfs-plugin-sa
+ name: objectstorage-provisioner
namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-rbd-plugin-sa-psp
roleRef:
- apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-rbd-plugin-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-rbd-provisioner-sa-psp
-roleRef:
+ name: objectstorage-provisioner-role
apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-rbd-provisioner-sa
- namespace: default # namespace:operator
---
# Source: rook-ceph/templates/cluster-rbac.yaml
kind: Role
@@ -1068,10 +949,10 @@
namespace: default # namespace:cluster
rules:
# this is needed for rook's "key-management" CLI to fetch the vault token from the secret when
- # validating the connection details
+ # validating the connection details and for key rotation operations.
- apiGroups: [""]
resources: ["secrets"]
- verbs: ["get"]
+ verbs: ["get", "update"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
@@ -1131,9 +1012,31 @@
- apiGroups:
- ceph.rook.io
resources:
- - "*"
+ - cephclients
+ - cephclusters
+ - cephblockpools
+ - cephfilesystems
+ - cephnfses
+ - cephobjectstores
+ - cephobjectstoreusers
+ - cephobjectrealms
+ - cephobjectzonegroups
+ - cephobjectzones
+ - cephbuckettopics
+ - cephbucketnotifications
+ - cephrbdmirrors
+ - cephfilesystemmirrors
+ - cephfilesystemsubvolumegroups
+ - cephblockpoolradosnamespaces
+ - cephcosidrivers
verbs:
- - "*"
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - delete
+ - patch
- apiGroups:
- apps
resources:
@@ -1269,6 +1172,7 @@
- create
- update
- delete
+ - deletecollection
- apiGroups:
- batch
resources:
@@ -1284,6 +1188,13 @@
- get
- create
- delete
+ - apiGroups:
+ - multicluster.x-k8s.io
+ resources:
+ - serviceexports
+ verbs:
+ - get
+ - create
---
# Source: rook-ceph/templates/role.yaml
kind: Role
@@ -1292,12 +1203,6 @@
name: cephfs-external-provisioner-cfg
namespace: default # namespace:operator
rules:
- - apiGroups: [""]
- resources: ["endpoints"]
- verbs: ["get", "watch", "list", "delete", "update", "create"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list", "create", "delete"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
@@ -1309,113 +1214,11 @@
name: rbd-external-provisioner-cfg
namespace: default # namespace:operator
rules:
- - apiGroups: [""]
- resources: ["endpoints"]
- verbs: ["get", "watch", "list", "delete", "update", "create"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list", "watch", "create", "delete", "update"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
---
# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-default-psp
- namespace: default # namespace:cluster
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: default
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-rgw-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-rgw
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-mgr-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-mgr
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-cmd-reporter-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-cmd-reporter
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-purge-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-purge-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
# Allow the operator to create resources in this cluster's namespace
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@@ -1635,7 +1438,7 @@
spec:
containers:
- name: rook-ceph-operator
- image: "rook/ceph:v1.9.7"
+ image: "rook/ceph:v1.12.8"
imagePullPolicy: IfNotPresent
args: ["ceph", "operator"]
securityContext:
@@ -1649,19 +1452,19 @@
name: default-config-dir
- mountPath: /etc/webhook
name: webhook-cert
+ ports:
+ - containerPort: 9443
+ name: https-webhook
+ protocol: TCP
env:
- name: ROOK_CURRENT_NAMESPACE_ONLY
value: "false"
- name: ROOK_HOSTPATH_REQUIRES_PRIVILEGED
value: "false"
- - name: ROOK_ENABLE_SELINUX_RELABELING
- value: "true"
- name: ROOK_DISABLE_DEVICE_HOTPLUG
value: "false"
- - name: ROOK_ENABLE_DISCOVERY_DAEMON
- value: "false"
- - name: ROOK_DISABLE_ADMISSION_CONTROLLER
- value: "false"
+ - name: ROOK_DISCOVER_DEVICES_INTERVAL
+ value: "60m"
- name: NODE_NAME
valueFrom:
fieldRef:
@@ -1689,3 +1492,7 @@
emptyDir: {}
- name: webhook-cert
emptyDir: {}
+# Source: rook-ceph/templates/securityContextConstraints.yaml
+# scc for the Rook and Ceph daemons
+# for creating cluster in openshift
+--- |
|
Path: @@ -95,6 +95,7 @@
imageFormat: "2"
reclaimPolicy: Delete
allowVolumeExpansion: true
+volumeBindingMode: Immediate
---
# Source: rook-ceph-cluster/templates/rbac.yaml
# Allow the ceph mgr to access cluster-wide resources necessary for the mgr modules
@@ -134,10 +135,10 @@
namespace: default # namespace:cluster
rules:
# this is needed for rook's "key-management" CLI to fetch the vault token from the secret when
- # validating the connection details
+ # validating the connection details and for key rotation operations.
- apiGroups: [""]
resources: ["secrets"]
- verbs: ["get"]
+ verbs: ["get", "update"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
@@ -197,9 +198,31 @@
- apiGroups:
- ceph.rook.io
resources:
- - "*"
+ - cephclients
+ - cephclusters
+ - cephblockpools
+ - cephfilesystems
+ - cephnfses
+ - cephobjectstores
+ - cephobjectstoreusers
+ - cephobjectrealms
+ - cephobjectzonegroups
+ - cephobjectzones
+ - cephbuckettopics
+ - cephbucketnotifications
+ - cephrbdmirrors
+ - cephfilesystemmirrors
+ - cephfilesystemsubvolumegroups
+ - cephblockpoolradosnamespaces
+ - cephcosidrivers
verbs:
- - "*"
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - delete
+ - patch
- apiGroups:
- apps
resources:
@@ -294,102 +317,6 @@
- update
---
# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-default-psp
- namespace: default # namespace:cluster
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: default
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-rgw-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-rgw
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-mgr-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-mgr
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-cmd-reporter-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-cmd-reporter
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-purge-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-purge-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
# Allow the operator to create resources in this cluster's namespace
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@@ -533,6 +460,11 @@
namespace: default # namespace:cluster
---
+# Source: rook-ceph-cluster/templates/securityContextConstraints.yaml
+# scc for the Rook and Ceph daemons
+# for creating cluster in openshift
+---
+
# Source: rook-ceph-cluster/templates/volumesnapshotclass.yaml
---
@@ -557,7 +489,7 @@
enabled: true
cephVersion:
allowUnsupported: false
- image: quay.io/ceph/ceph:v16.2.9
+ image: quay.io/ceph/ceph:v17.2.6
cleanupPolicy:
allowUninstallWithVolumes: false
confirmation: ""
@@ -574,8 +506,6 @@
urlPrefix: /
dataDirHostPath: /var/lib/rook
disruptionManagement:
- machineDisruptionBudgetNamespace: openshift-machine-api
- manageMachineDisruptionBudgets: false
managePodBudgets: true
osdMaintenanceTimeout: 30
pgHealthCheckTimeout: 0
@@ -597,6 +527,10 @@
disabled: false
osd:
disabled: false
+ logCollector:
+ enabled: true
+ maxLogSize: 500M
+ periodicity: daily
mgr:
allowMultiplePerNode: false
count: 2
@@ -606,6 +540,13 @@
mon:
allowMultiplePerNode: false
count: 3
+ network:
+ connections:
+ compression:
+ enabled: false
+ encryption:
+ enabled: false
+ requireMsgr2: false
priorityClassNames:
mgr: system-cluster-critical
mon: system-node-critical
@@ -626,6 +567,13 @@
requests:
cpu: 100m
memory: 60Mi
+ exporter:
+ limits:
+ cpu: 250m
+ memory: 128Mi
+ requests:
+ cpu: 50m
+ memory: 50Mi
logcollector:
limits:
cpu: 500m
@@ -662,9 +610,6 @@
cpu: 1000m
memory: 4Gi
prepareosd:
- limits:
- cpu: 500m
- memory: 400Mi
requests:
cpu: 500m
memory: 50Mi |
renovate
bot
force-pushed
the
renovate/rook-ceph-suite
branch
from
a7ed1df to
50d6111
Compare
|
Path: @@ -95,6 +95,7 @@
imageFormat: "2"
reclaimPolicy: Delete
allowVolumeExpansion: true
+volumeBindingMode: Immediate
---
# Source: rook-ceph-cluster/templates/rbac.yaml
# Allow the ceph mgr to access cluster-wide resources necessary for the mgr modules
@@ -134,10 +135,10 @@
namespace: default # namespace:cluster
rules:
# this is needed for rook's "key-management" CLI to fetch the vault token from the secret when
- # validating the connection details
+ # validating the connection details and for key rotation operations.
- apiGroups: [""]
resources: ["secrets"]
- verbs: ["get"]
+ verbs: ["get", "update"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
@@ -197,9 +198,31 @@
- apiGroups:
- ceph.rook.io
resources:
- - "*"
+ - cephclients
+ - cephclusters
+ - cephblockpools
+ - cephfilesystems
+ - cephnfses
+ - cephobjectstores
+ - cephobjectstoreusers
+ - cephobjectrealms
+ - cephobjectzonegroups
+ - cephobjectzones
+ - cephbuckettopics
+ - cephbucketnotifications
+ - cephrbdmirrors
+ - cephfilesystemmirrors
+ - cephfilesystemsubvolumegroups
+ - cephblockpoolradosnamespaces
+ - cephcosidrivers
verbs:
- - "*"
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - delete
+ - patch
- apiGroups:
- apps
resources:
@@ -294,102 +317,6 @@
- update
---
# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-default-psp
- namespace: default # namespace:cluster
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: default
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-rgw-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-rgw
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-mgr-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-mgr
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-cmd-reporter-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-cmd-reporter
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-purge-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-purge-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
# Allow the operator to create resources in this cluster's namespace
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@@ -536,11 +463,14 @@
---
---
+
+---
# Source: rook-ceph-cluster/templates/cephblockpool.yaml
apiVersion: ceph.rook.io/v1
kind: CephBlockPool
metadata:
name: ceph-blockpool
+ namespace: default # namespace:cluster
spec:
failureDomain: host
replicated:
@@ -551,12 +481,13 @@
kind: CephCluster
metadata:
name: default
+ namespace: default # namespace:cluster
spec:
monitoring:
enabled: true
cephVersion:
allowUnsupported: false
- image: quay.io/ceph/ceph:v16.2.9
+ image: quay.io/ceph/ceph:v17.2.6
cleanupPolicy:
allowUninstallWithVolumes: false
confirmation: ""
@@ -573,8 +504,6 @@
urlPrefix: /
dataDirHostPath: /var/lib/rook
disruptionManagement:
- machineDisruptionBudgetNamespace: openshift-machine-api
- manageMachineDisruptionBudgets: false
managePodBudgets: true
osdMaintenanceTimeout: 30
pgHealthCheckTimeout: 0
@@ -596,6 +525,10 @@
disabled: false
osd:
disabled: false
+ logCollector:
+ enabled: true
+ maxLogSize: 500M
+ periodicity: daily
mgr:
allowMultiplePerNode: false
count: 2
@@ -605,6 +538,13 @@
mon:
allowMultiplePerNode: false
count: 3
+ network:
+ connections:
+ compression:
+ enabled: false
+ encryption:
+ enabled: false
+ requireMsgr2: false
priorityClassNames:
mgr: system-cluster-critical
mon: system-node-critical
@@ -625,6 +565,13 @@
requests:
cpu: 100m
memory: 60Mi
+ exporter:
+ limits:
+ cpu: 250m
+ memory: 128Mi
+ requests:
+ cpu: 50m
+ memory: 50Mi
logcollector:
limits:
cpu: 500m
@@ -661,9 +608,6 @@
cpu: 1000m
memory: 4Gi
prepareosd:
- limits:
- cpu: 500m
- memory: 400Mi
requests:
cpu: 500m
memory: 50Mi |
|
Path: @@ -1,86 +1,4 @@
---
-# Source: rook-ceph/templates/psp.yaml
-# We expect most Kubernetes teams to follow the Kubernetes docs and have these PSPs.
-# LICENSE README.md Taskfile.yml assets charts cluster containers default docs hack provision privileged (for kube-system namespace)
-# LICENSE README.md Taskfile.yml assets charts cluster containers default docs hack provision restricted (for all logged in users)
-#
-# PSPs are applied based on the first match alphabetically. `rook-ceph-operator` comes after
-# `restricted` alphabetically, so we name this `00-rook-privileged`, so it stays somewhere
-# close to the top and so `rook-system` gets the intended PSP. This may need to be renamed in
-# environments with other `00`-prefixed PSPs.
-#
-# More on PSP ordering: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#policy-order
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
- name: 00-rook-privileged
- annotations:
- seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
- seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
-spec:
- privileged: true
- allowedCapabilities:
- # required by CSI
- - SYS_ADMIN
- - MKNOD
- fsGroup:
- rule: RunAsAny
- # runAsUser, supplementalGroups - Rook needs to run some pods as root
- # Ceph pods could be run as the Ceph user, but that user isn't always known ahead of time
- runAsUser:
- rule: RunAsAny
- supplementalGroups:
- rule: RunAsAny
- # seLinux - seLinux context is unknown ahead of time; set if this is well-known
- seLinux:
- rule: RunAsAny
- volumes:
- # recommended minimum set
- - configMap
- - downwardAPI
- - emptyDir
- - persistentVolumeClaim
- - secret
- - projected
- # required for Rook
- - hostPath
- # allowedHostPaths can be set to Rook's known host volume mount points when they are fully-known
- # allowedHostPaths:
- # - pathPrefix: "/run/udev" # for OSD prep
- # readOnly: false
- # - pathPrefix: "/dev" # for OSD prep
- # readOnly: false
- # - pathPrefix: "/var/lib/rook" # or whatever the dataDirHostPath value is set to
- # readOnly: false
- # Ceph requires host IPC for setting up encrypted devices
- hostIPC: true
- # Ceph OSDs need to share the same PID namespace
- hostPID: true
- # hostNetwork can be set to 'false' if host networking isn't used
- hostNetwork: true
- hostPorts:
- # Ceph messenger protocol v1
- - min: 6789
- max: 6790 # <- support old default port
- # Ceph messenger protocol v2
- - min: 3300
- max: 3300
- # Ceph RADOS ports for OSDs, MDSes
- - min: 6800
- max: 7300
- # # Ceph dashboard port HTTP (not recommended)
- # - min: 7000
- # max: 7000
- # Ceph dashboard port HTTPS
- - min: 8443
- max: 8443
- # Ceph mgr Prometheus Metrics
- - min: 9283
- max: 9283
- # port for CSIAddons
- - min: 9070
- max: 9070
----
# Source: rook-ceph/templates/cluster-rbac.yaml
# Service account for Ceph OSDs
apiVersion: v1
@@ -211,6 +129,20 @@
# imagePullSecrets:
# - name: my-registry-secret
---
+# Source: rook-ceph/templates/serviceaccount.yaml
+# Service account for Ceph COSI driver
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: objectstorage-provisioner
+ namespace: default # namespace:operator
+ labels:
+ app.kubernetes.io/part-of: container-object-storage-interface
+ app.kubernetes.io/component: driver-ceph
+ app.kubernetes.io/name: cosi-driver-ceph
+# imagePullSecrets:
+# - name: my-registry-secret
+---
# Source: rook-ceph/templates/configmap.yaml
# Operator settings that can be updated without an operator restart
# Operator settings that require an operator restart are found in the operator env vars
@@ -218,26 +150,35 @@
apiVersion: v1
metadata:
name: rook-ceph-operator-config
+ namespace: default # namespace:operator
data:
ROOK_LOG_LEVEL: "INFO"
ROOK_CEPH_COMMANDS_TIMEOUT_SECONDS: "15"
ROOK_OBC_WATCH_OPERATOR_NAMESPACE: "true"
+ ROOK_CEPH_ALLOW_LOOP_DEVICES: "false"
+ ROOK_DISABLE_ADMISSION_CONTROLLER: "true"
+ ROOK_ENABLE_DISCOVERY_DAEMON: "false"
ROOK_CSI_ENABLE_RBD: "true"
ROOK_CSI_ENABLE_CEPHFS: "false"
CSI_ENABLE_CEPHFS_SNAPSHOTTER: "false"
+ CSI_ENABLE_NFS_SNAPSHOTTER: "true"
CSI_ENABLE_RBD_SNAPSHOTTER: "true"
CSI_PLUGIN_ENABLE_SELINUX_HOST_MOUNT: "false"
CSI_ENABLE_ENCRYPTION: "false"
CSI_ENABLE_OMAP_GENERATOR: "false"
CSI_ENABLE_HOST_NETWORK: "true"
+ CSI_ENABLE_METADATA: "false"
CSI_PLUGIN_PRIORITY_CLASSNAME: "system-node-critical"
CSI_PROVISIONER_PRIORITY_CLASSNAME: "system-cluster-critical"
- CSI_RBD_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
- CSI_CEPHFS_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
- CSI_NFS_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
+ CSI_RBD_FSGROUPPOLICY: "File"
+ CSI_CEPHFS_FSGROUPPOLICY: "File"
+ CSI_NFS_FSGROUPPOLICY: "File"
ROOK_CSI_ENABLE_GRPC_METRICS: "false"
- CSI_ENABLE_VOLUME_REPLICATION: "false"
+ ROOK_CSI_IMAGE_PULL_POLICY: "IfNotPresent"
CSI_ENABLE_CSIADDONS: "false"
+ ROOK_CSIADDONS_IMAGE: "quay.io/csiaddons/k8s-sidecar:v0.7.0"
+ CSI_ENABLE_TOPOLOGY: "false"
+ CSI_ENABLE_READ_AFFINITY: "false"
ROOK_CSI_ENABLE_NFS: "false"
CSI_FORCE_CEPHFS_KERNEL_CLIENT: "true"
CSI_GRPC_TIMEOUT_SECONDS: "150"
@@ -246,8 +187,11 @@
CSI_RBD_PLUGIN_RESOURCE: "- name : driver-registrar\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n- name : csi-rbdplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n- name : liveness-prometheus\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n"
CSI_CEPHFS_PROVISIONER_RESOURCE: "- name : csi-provisioner\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-resizer\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-attacher\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-snapshotter\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-cephfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n- name : liveness-prometheus\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n"
CSI_CEPHFS_PLUGIN_RESOURCE: "- name : driver-registrar\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n- name : csi-cephfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n- name : liveness-prometheus\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n"
- CSI_NFS_PROVISIONER_RESOURCE: "- name : csi-provisioner\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-nfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n"
+ CSI_NFS_PROVISIONER_RESOURCE: "- name : csi-provisioner\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-nfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n- name : csi-attacher\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n"
CSI_NFS_PLUGIN_RESOURCE: "- name : driver-registrar\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n- name : csi-nfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n"
+ CSI_CEPHFS_ATTACH_REQUIRED: "true"
+ CSI_RBD_ATTACH_REQUIRED: "true"
+ CSI_NFS_ATTACH_REQUIRED: "true"
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -274,6 +218,12 @@
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["create", "get", "delete", "update"]
+ - apiGroups: ["csiaddons.openshift.io"]
+ resources: ["networkfences"]
+ verbs: ["create", "get", "update", "delete", "watch", "list"]
+ - apiGroups: ["apiextensions.k8s.io"]
+ resources: ["customresourcedefinitions"]
+ verbs: ["get"]
---
# Source: rook-ceph/templates/clusterrole.yaml
# The cluster role for managing all the cluster-specific resources in a namespace
@@ -380,6 +330,7 @@
- create
- update
- delete
+ - deletecollection
# The Rook operator must be able to watch all ceph.rook.io resources to reconcile them.
- apiGroups: ["ceph.rook.io"]
resources:
@@ -399,6 +350,7 @@
- cephfilesystemmirrors
- cephfilesystemsubvolumegroups
- cephblockpoolradosnamespaces
+ - cephcosidrivers
verbs:
- get
- list
@@ -467,6 +419,14 @@
- delete
- deletecollection
- apiGroups:
+ - apps
+ resources:
+ # This is to add osd deployment owner ref on key rotation
+ # cron jobs.
+ - deployments/finalizers
+ verbs:
+ - update
+ - apiGroups:
- healthchecking.openshift.io
resources:
- machinedisruptionbudgets
@@ -644,6 +604,8 @@
- list
---
# Source: rook-ceph/templates/clusterrole.yaml
+# TODO: remove this, once https://github.com/rook/rook/issues/10141
+# is resolved.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
@@ -651,19 +613,7 @@
rules:
- apiGroups: [""]
resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["namespaces"]
- verbs: ["get", "list"]
- - apiGroups: [""]
- resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: ["storage.k8s.io"]
- resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list"]
+ verbs: ["get"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -675,11 +625,14 @@
resources: ["secrets"]
verbs: ["get", "list"]
- apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
+ verbs: ["get", "list", "watch", "create", "delete", "patch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
@@ -688,30 +641,24 @@
verbs: ["list", "watch", "create", "update", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update", "patch"]
+ verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments/status"]
verbs: ["patch"]
- apiGroups: [""]
- resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
resources: ["persistentvolumeclaims/status"]
- verbs: ["update", "patch"]
+ verbs: ["patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
- verbs: ["get", "list", "watch", "update", "patch"]
- - apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents"]
- verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
+ verbs: ["get", "list"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents/status"]
- verbs: ["update", "patch"]
+ resources: ["volumesnapshotcontents"]
+ verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshots/status"]
+ resources: ["volumesnapshotcontents/status"]
verbs: ["update", "patch"]
---
# Source: rook-ceph/templates/clusterrole.yaml
@@ -730,26 +677,23 @@
resources: ["secrets"]
verbs: ["get", "list"]
- apiGroups: [""]
- resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["namespaces"]
- verbs: ["get", "list"]
- - apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list"]
- apiGroups: [""]
resources: ["configmaps"]
- verbs: ["get", "list"]
+ verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
+ - apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -762,13 +706,19 @@
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
+ verbs: ["get", "list", "watch", "create", "delete", "patch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["storage.k8s.io"]
+ resources: ["storageclasses"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["list", "watch", "create", "update", "patch"]
+ - apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update", "patch"]
+ verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments/status"]
verbs: ["patch"]
@@ -776,71 +726,58 @@
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["storage.k8s.io"]
- resources: ["storageclasses"]
+ resources: ["csinodes"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
- resources: ["events"]
- verbs: ["list", "watch", "create", "update", "patch"]
+ resources: ["persistentvolumeclaims/status"]
+ verbs: ["patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
- verbs: ["get", "list", "watch", "update", "patch"]
- - apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents"]
- verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
+ verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents/status"]
- verbs: ["update", "patch"]
+ resources: ["volumesnapshotcontents"]
+ verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshots/status"]
- verbs: ["update", "patch"]
- - apiGroups: [""]
- resources: ["persistentvolumeclaims/status"]
+ resources: ["volumesnapshotcontents/status"]
verbs: ["update", "patch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications", "volumereplicationclasses"]
- verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications/finalizers"]
- verbs: ["update"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications/status"]
- verbs: ["get", "patch", "update"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplicationclasses/status"]
- verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
+ - apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["storage.k8s.io"]
+ resources: ["csinodes"]
+ verbs: ["get", "list", "watch"]
---
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
+# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
metadata:
- name: 'psp:rook'
+ name: objectstorage-provisioner-role
labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/created-by: helm
-rules:
- - apiGroups:
- - policy
- resources:
- - podsecuritypolicies
- resourceNames:
- - 00-rook-privileged
- verbs:
- - use
+ app.kubernetes.io/part-of: container-object-storage-interface
+ app.kubernetes.io/component: driver-ceph
+ app.kubernetes.io/name: cosi-driver-ceph
+rules:
+ - apiGroups: ["objectstorage.k8s.io"]
+ resources: ["buckets", "bucketaccesses", "bucketclaims", "bucketaccessclasses", "buckets/status", "bucketaccesses/status", "bucketclaims/status", "bucketaccessclasses/status"]
+ verbs: ["get", "list", "watch", "update", "create", "delete"]
+ - apiGroups: ["coordination.k8s.io"]
+ resources: ["leases"]
+ verbs: ["get", "watch", "list", "delete", "update", "create"]
+ - apiGroups: [""]
+ resources: ["secrets", "events"]
+ verbs: ["get", "delete", "update", "create"]
---
# Source: rook-ceph/templates/cluster-rbac.yaml
# Allow the ceph mgr to access cluster-wide resources necessary for the mgr modules
@@ -946,28 +883,30 @@
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
- name: cephfs-csi-nodeplugin
+ name: cephfs-csi-provisioner-role
subjects:
- kind: ServiceAccount
- name: rook-csi-cephfs-plugin-sa
+ name: rook-csi-cephfs-provisioner-sa
namespace: default # namespace:operator
roleRef:
kind: ClusterRole
- name: cephfs-csi-nodeplugin
+ name: cephfs-external-provisioner-runner
apiGroup: rbac.authorization.k8s.io
---
# Source: rook-ceph/templates/clusterrolebinding.yaml
+# This is required by operator-sdk to map the cluster/clusterrolebindings with SA
+# otherwise operator-sdk will create a individual file for these.
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
- name: cephfs-csi-provisioner-role
+ name: cephfs-csi-nodeplugin-role
subjects:
- kind: ServiceAccount
- name: rook-csi-cephfs-provisioner-sa
+ name: rook-csi-cephfs-plugin-sa
namespace: default # namespace:operator
roleRef:
kind: ClusterRole
- name: cephfs-external-provisioner-runner
+ name: cephfs-csi-nodeplugin
apiGroup: rbac.authorization.k8s.io
---
# Source: rook-ceph/templates/clusterrolebinding.yaml
@@ -984,81 +923,24 @@
name: rbd-external-provisioner-runner
apiGroup: rbac.authorization.k8s.io
---
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-ceph-system-psp
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-system
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
+# Source: rook-ceph/templates/clusterrolebinding.yaml
+# RBAC for ceph cosi driver service account
kind: ClusterRoleBinding
-metadata:
- name: rook-csi-cephfs-provisioner-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-cephfs-provisioner-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
metadata:
- name: rook-csi-cephfs-plugin-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
+ name: objectstorage-provisioner-role-binding
+ labels:
+ app.kubernetes.io/part-of: container-object-storage-interface
+ app.kubernetes.io/component: driver-ceph
+ app.kubernetes.io/name: cosi-driver-ceph
subjects:
- kind: ServiceAccount
- name: rook-csi-cephfs-plugin-sa
+ name: objectstorage-provisioner
namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-rbd-plugin-sa-psp
roleRef:
- apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-rbd-plugin-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-rbd-provisioner-sa-psp
-roleRef:
+ name: objectstorage-provisioner-role
apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-rbd-provisioner-sa
- namespace: default # namespace:operator
---
# Source: rook-ceph/templates/cluster-rbac.yaml
kind: Role
@@ -1068,10 +950,10 @@
namespace: default # namespace:cluster
rules:
# this is needed for rook's "key-management" CLI to fetch the vault token from the secret when
- # validating the connection details
+ # validating the connection details and for key rotation operations.
- apiGroups: [""]
resources: ["secrets"]
- verbs: ["get"]
+ verbs: ["get", "update"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
@@ -1131,9 +1013,31 @@
- apiGroups:
- ceph.rook.io
resources:
- - "*"
+ - cephclients
+ - cephclusters
+ - cephblockpools
+ - cephfilesystems
+ - cephnfses
+ - cephobjectstores
+ - cephobjectstoreusers
+ - cephobjectrealms
+ - cephobjectzonegroups
+ - cephobjectzones
+ - cephbuckettopics
+ - cephbucketnotifications
+ - cephrbdmirrors
+ - cephfilesystemmirrors
+ - cephfilesystemsubvolumegroups
+ - cephblockpoolradosnamespaces
+ - cephcosidrivers
verbs:
- - "*"
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - delete
+ - patch
- apiGroups:
- apps
resources:
@@ -1269,6 +1173,7 @@
- create
- update
- delete
+ - deletecollection
- apiGroups:
- batch
resources:
@@ -1284,6 +1189,13 @@
- get
- create
- delete
+ - apiGroups:
+ - multicluster.x-k8s.io
+ resources:
+ - serviceexports
+ verbs:
+ - get
+ - create
---
# Source: rook-ceph/templates/role.yaml
kind: Role
@@ -1292,12 +1204,6 @@
name: cephfs-external-provisioner-cfg
namespace: default # namespace:operator
rules:
- - apiGroups: [""]
- resources: ["endpoints"]
- verbs: ["get", "watch", "list", "delete", "update", "create"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list", "create", "delete"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
@@ -1309,113 +1215,11 @@
name: rbd-external-provisioner-cfg
namespace: default # namespace:operator
rules:
- - apiGroups: [""]
- resources: ["endpoints"]
- verbs: ["get", "watch", "list", "delete", "update", "create"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list", "watch", "create", "delete", "update"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
---
# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-default-psp
- namespace: default # namespace:cluster
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: default
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-rgw-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-rgw
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-mgr-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-mgr
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-cmd-reporter-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-cmd-reporter
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-purge-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-purge-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
# Allow the operator to create resources in this cluster's namespace
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@@ -1615,6 +1419,7 @@
kind: Deployment
metadata:
name: rook-ceph-operator
+ namespace: default # namespace:operator
labels:
operator: rook
storage-backend: ceph
@@ -1635,7 +1440,7 @@
spec:
containers:
- name: rook-ceph-operator
- image: "rook/ceph:v1.9.7"
+ image: "rook/ceph:v1.12.9"
imagePullPolicy: IfNotPresent
args: ["ceph", "operator"]
securityContext:
@@ -1649,19 +1454,19 @@
name: default-config-dir
- mountPath: /etc/webhook
name: webhook-cert
+ ports:
+ - containerPort: 9443
+ name: https-webhook
+ protocol: TCP
env:
- name: ROOK_CURRENT_NAMESPACE_ONLY
value: "false"
- name: ROOK_HOSTPATH_REQUIRES_PRIVILEGED
value: "false"
- - name: ROOK_ENABLE_SELINUX_RELABELING
- value: "true"
- name: ROOK_DISABLE_DEVICE_HOTPLUG
value: "false"
- - name: ROOK_ENABLE_DISCOVERY_DAEMON
- value: "false"
- - name: ROOK_DISABLE_ADMISSION_CONTROLLER
- value: "false"
+ - name: ROOK_DISCOVER_DEVICES_INTERVAL
+ value: "60m"
- name: NODE_NAME
valueFrom:
fieldRef:
@@ -1689,3 +1494,7 @@
emptyDir: {}
- name: webhook-cert
emptyDir: {}
+# Source: rook-ceph/templates/securityContextConstraints.yaml
+# scc for the Rook and Ceph daemons
+# for creating cluster in openshift
+--- |
renovate
bot
force-pushed
the
renovate/rook-ceph-suite
branch
from
50d6111 to
4ca1e97
Compare
|
Path: @@ -1,86 +1,4 @@
---
-# Source: rook-ceph/templates/psp.yaml
-# We expect most Kubernetes teams to follow the Kubernetes docs and have these PSPs.
-# LICENSE README.md Taskfile.yml assets charts cluster containers default docs hack provision privileged (for kube-system namespace)
-# LICENSE README.md Taskfile.yml assets charts cluster containers default docs hack provision restricted (for all logged in users)
-#
-# PSPs are applied based on the first match alphabetically. `rook-ceph-operator` comes after
-# `restricted` alphabetically, so we name this `00-rook-privileged`, so it stays somewhere
-# close to the top and so `rook-system` gets the intended PSP. This may need to be renamed in
-# environments with other `00`-prefixed PSPs.
-#
-# More on PSP ordering: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#policy-order
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
- name: 00-rook-privileged
- annotations:
- seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
- seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
-spec:
- privileged: true
- allowedCapabilities:
- # required by CSI
- - SYS_ADMIN
- - MKNOD
- fsGroup:
- rule: RunAsAny
- # runAsUser, supplementalGroups - Rook needs to run some pods as root
- # Ceph pods could be run as the Ceph user, but that user isn't always known ahead of time
- runAsUser:
- rule: RunAsAny
- supplementalGroups:
- rule: RunAsAny
- # seLinux - seLinux context is unknown ahead of time; set if this is well-known
- seLinux:
- rule: RunAsAny
- volumes:
- # recommended minimum set
- - configMap
- - downwardAPI
- - emptyDir
- - persistentVolumeClaim
- - secret
- - projected
- # required for Rook
- - hostPath
- # allowedHostPaths can be set to Rook's known host volume mount points when they are fully-known
- # allowedHostPaths:
- # - pathPrefix: "/run/udev" # for OSD prep
- # readOnly: false
- # - pathPrefix: "/dev" # for OSD prep
- # readOnly: false
- # - pathPrefix: "/var/lib/rook" # or whatever the dataDirHostPath value is set to
- # readOnly: false
- # Ceph requires host IPC for setting up encrypted devices
- hostIPC: true
- # Ceph OSDs need to share the same PID namespace
- hostPID: true
- # hostNetwork can be set to 'false' if host networking isn't used
- hostNetwork: true
- hostPorts:
- # Ceph messenger protocol v1
- - min: 6789
- max: 6790 # <- support old default port
- # Ceph messenger protocol v2
- - min: 3300
- max: 3300
- # Ceph RADOS ports for OSDs, MDSes
- - min: 6800
- max: 7300
- # # Ceph dashboard port HTTP (not recommended)
- # - min: 7000
- # max: 7000
- # Ceph dashboard port HTTPS
- - min: 8443
- max: 8443
- # Ceph mgr Prometheus Metrics
- - min: 9283
- max: 9283
- # port for CSIAddons
- - min: 9070
- max: 9070
----
# Source: rook-ceph/templates/cluster-rbac.yaml
# Service account for Ceph OSDs
apiVersion: v1
@@ -211,6 +129,20 @@
# imagePullSecrets:
# - name: my-registry-secret
---
+# Source: rook-ceph/templates/serviceaccount.yaml
+# Service account for Ceph COSI driver
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: objectstorage-provisioner
+ namespace: default # namespace:operator
+ labels:
+ app.kubernetes.io/part-of: container-object-storage-interface
+ app.kubernetes.io/component: driver-ceph
+ app.kubernetes.io/name: cosi-driver-ceph
+# imagePullSecrets:
+# - name: my-registry-secret
+---
# Source: rook-ceph/templates/configmap.yaml
# Operator settings that can be updated without an operator restart
# Operator settings that require an operator restart are found in the operator env vars
@@ -218,26 +150,33 @@
apiVersion: v1
metadata:
name: rook-ceph-operator-config
+ namespace: default # namespace:operator
data:
ROOK_LOG_LEVEL: "INFO"
ROOK_CEPH_COMMANDS_TIMEOUT_SECONDS: "15"
ROOK_OBC_WATCH_OPERATOR_NAMESPACE: "true"
+ ROOK_CEPH_ALLOW_LOOP_DEVICES: "false"
+ ROOK_ENABLE_DISCOVERY_DAEMON: "false"
ROOK_CSI_ENABLE_RBD: "true"
ROOK_CSI_ENABLE_CEPHFS: "false"
CSI_ENABLE_CEPHFS_SNAPSHOTTER: "false"
+ CSI_ENABLE_NFS_SNAPSHOTTER: "true"
CSI_ENABLE_RBD_SNAPSHOTTER: "true"
CSI_PLUGIN_ENABLE_SELINUX_HOST_MOUNT: "false"
CSI_ENABLE_ENCRYPTION: "false"
CSI_ENABLE_OMAP_GENERATOR: "false"
CSI_ENABLE_HOST_NETWORK: "true"
+ CSI_ENABLE_METADATA: "false"
CSI_PLUGIN_PRIORITY_CLASSNAME: "system-node-critical"
CSI_PROVISIONER_PRIORITY_CLASSNAME: "system-cluster-critical"
- CSI_RBD_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
- CSI_CEPHFS_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
- CSI_NFS_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
- ROOK_CSI_ENABLE_GRPC_METRICS: "false"
- CSI_ENABLE_VOLUME_REPLICATION: "false"
+ CSI_RBD_FSGROUPPOLICY: "File"
+ CSI_CEPHFS_FSGROUPPOLICY: "File"
+ CSI_NFS_FSGROUPPOLICY: "File"
+ ROOK_CSI_IMAGE_PULL_POLICY: "IfNotPresent"
CSI_ENABLE_CSIADDONS: "false"
+ ROOK_CSIADDONS_IMAGE: "quay.io/csiaddons/k8s-sidecar:v0.7.0"
+ CSI_ENABLE_TOPOLOGY: "false"
+ CSI_ENABLE_READ_AFFINITY: "false"
ROOK_CSI_ENABLE_NFS: "false"
CSI_FORCE_CEPHFS_KERNEL_CLIENT: "true"
CSI_GRPC_TIMEOUT_SECONDS: "150"
@@ -246,8 +185,11 @@
CSI_RBD_PLUGIN_RESOURCE: "- name : driver-registrar\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n- name : csi-rbdplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n- name : liveness-prometheus\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n"
CSI_CEPHFS_PROVISIONER_RESOURCE: "- name : csi-provisioner\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-resizer\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-attacher\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-snapshotter\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-cephfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n- name : liveness-prometheus\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n"
CSI_CEPHFS_PLUGIN_RESOURCE: "- name : driver-registrar\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n- name : csi-cephfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n- name : liveness-prometheus\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n"
- CSI_NFS_PROVISIONER_RESOURCE: "- name : csi-provisioner\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-nfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n"
+ CSI_NFS_PROVISIONER_RESOURCE: "- name : csi-provisioner\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-nfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n- name : csi-attacher\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n"
CSI_NFS_PLUGIN_RESOURCE: "- name : driver-registrar\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n- name : csi-nfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n"
+ CSI_CEPHFS_ATTACH_REQUIRED: "true"
+ CSI_RBD_ATTACH_REQUIRED: "true"
+ CSI_NFS_ATTACH_REQUIRED: "true"
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -271,9 +213,12 @@
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
- - apiGroups: ["admissionregistration.k8s.io"]
- resources: ["validatingwebhookconfigurations"]
- verbs: ["create", "get", "delete", "update"]
+ - apiGroups: ["csiaddons.openshift.io"]
+ resources: ["networkfences"]
+ verbs: ["create", "get", "update", "delete", "watch", "list"]
+ - apiGroups: ["apiextensions.k8s.io"]
+ resources: ["customresourcedefinitions"]
+ verbs: ["get"]
---
# Source: rook-ceph/templates/clusterrole.yaml
# The cluster role for managing all the cluster-specific resources in a namespace
@@ -332,9 +277,8 @@
# Node access is needed for determining nodes where mons should run
- nodes
- nodes/proxy
- - services
# Rook watches secrets which it uses to configure access to external resources.
- # e.g., external Ceph cluster; TLS certificates for the admission controller or object store
+ # e.g., external Ceph cluster or object store
- secrets
# Rook watches for changes to the rook-operator-config configmap
- configmaps
@@ -352,6 +296,7 @@
- persistentvolumeclaims
# Rook creates endpoints for mgr and object store access
- endpoints
+ - services
verbs:
- get
- list
@@ -380,6 +325,7 @@
- create
- update
- delete
+ - deletecollection
# The Rook operator must be able to watch all ceph.rook.io resources to reconcile them.
- apiGroups: ["ceph.rook.io"]
resources:
@@ -399,6 +345,7 @@
- cephfilesystemmirrors
- cephfilesystemsubvolumegroups
- cephblockpoolradosnamespaces
+ - cephcosidrivers
verbs:
- get
- list
@@ -467,6 +414,14 @@
- delete
- deletecollection
- apiGroups:
+ - apps
+ resources:
+ # This is to add osd deployment owner ref on key rotation
+ # cron jobs.
+ - deployments/finalizers
+ verbs:
+ - update
+ - apiGroups:
- healthchecking.openshift.io
resources:
- machinedisruptionbudgets
@@ -651,19 +606,7 @@
rules:
- apiGroups: [""]
resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["namespaces"]
- verbs: ["get", "list"]
- - apiGroups: [""]
- resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: ["storage.k8s.io"]
- resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list"]
+ verbs: ["get"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -675,11 +618,14 @@
resources: ["secrets"]
verbs: ["get", "list"]
- apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
+ verbs: ["get", "list", "watch", "create", "delete", "patch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
@@ -688,30 +634,24 @@
verbs: ["list", "watch", "create", "update", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update", "patch"]
+ verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments/status"]
verbs: ["patch"]
- apiGroups: [""]
- resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
resources: ["persistentvolumeclaims/status"]
- verbs: ["update", "patch"]
+ verbs: ["patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
- verbs: ["get", "list", "watch", "update", "patch"]
- - apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents"]
- verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
+ verbs: ["get", "list"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents/status"]
- verbs: ["update", "patch"]
+ resources: ["volumesnapshotcontents"]
+ verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshots/status"]
+ resources: ["volumesnapshotcontents/status"]
verbs: ["update", "patch"]
---
# Source: rook-ceph/templates/clusterrole.yaml
@@ -730,26 +670,23 @@
resources: ["secrets"]
verbs: ["get", "list"]
- apiGroups: [""]
- resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["namespaces"]
- verbs: ["get", "list"]
- - apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list"]
- apiGroups: [""]
resources: ["configmaps"]
- verbs: ["get", "list"]
+ verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
+ - apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -762,13 +699,19 @@
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
+ verbs: ["get", "list", "watch", "create", "delete", "patch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["storage.k8s.io"]
+ resources: ["storageclasses"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["list", "watch", "create", "update", "patch"]
+ - apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update", "patch"]
+ verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments/status"]
verbs: ["patch"]
@@ -776,71 +719,58 @@
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["storage.k8s.io"]
- resources: ["storageclasses"]
+ resources: ["csinodes"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
- resources: ["events"]
- verbs: ["list", "watch", "create", "update", "patch"]
+ resources: ["persistentvolumeclaims/status"]
+ verbs: ["patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
- verbs: ["get", "list", "watch", "update", "patch"]
- - apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents"]
- verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
+ verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents/status"]
- verbs: ["update", "patch"]
+ resources: ["volumesnapshotcontents"]
+ verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshots/status"]
- verbs: ["update", "patch"]
- - apiGroups: [""]
- resources: ["persistentvolumeclaims/status"]
+ resources: ["volumesnapshotcontents/status"]
verbs: ["update", "patch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications", "volumereplicationclasses"]
- verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications/finalizers"]
- verbs: ["update"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications/status"]
- verbs: ["get", "patch", "update"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplicationclasses/status"]
- verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
+ - apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["storage.k8s.io"]
+ resources: ["csinodes"]
+ verbs: ["get", "list", "watch"]
---
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
+# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
metadata:
- name: 'psp:rook'
+ name: objectstorage-provisioner-role
labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/created-by: helm
-rules:
- - apiGroups:
- - policy
- resources:
- - podsecuritypolicies
- resourceNames:
- - 00-rook-privileged
- verbs:
- - use
+ app.kubernetes.io/part-of: container-object-storage-interface
+ app.kubernetes.io/component: driver-ceph
+ app.kubernetes.io/name: cosi-driver-ceph
+rules:
+ - apiGroups: ["objectstorage.k8s.io"]
+ resources: ["buckets", "bucketaccesses", "bucketclaims", "bucketaccessclasses", "buckets/status", "bucketaccesses/status", "bucketclaims/status", "bucketaccessclasses/status"]
+ verbs: ["get", "list", "watch", "update", "create", "delete"]
+ - apiGroups: ["coordination.k8s.io"]
+ resources: ["leases"]
+ verbs: ["get", "watch", "list", "delete", "update", "create"]
+ - apiGroups: [""]
+ resources: ["secrets", "events"]
+ verbs: ["get", "delete", "update", "create"]
---
# Source: rook-ceph/templates/cluster-rbac.yaml
# Allow the ceph mgr to access cluster-wide resources necessary for the mgr modules
@@ -946,28 +876,30 @@
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
- name: cephfs-csi-nodeplugin
+ name: cephfs-csi-provisioner-role
subjects:
- kind: ServiceAccount
- name: rook-csi-cephfs-plugin-sa
+ name: rook-csi-cephfs-provisioner-sa
namespace: default # namespace:operator
roleRef:
kind: ClusterRole
- name: cephfs-csi-nodeplugin
+ name: cephfs-external-provisioner-runner
apiGroup: rbac.authorization.k8s.io
---
# Source: rook-ceph/templates/clusterrolebinding.yaml
+# This is required by operator-sdk to map the cluster/clusterrolebindings with SA
+# otherwise operator-sdk will create a individual file for these.
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
- name: cephfs-csi-provisioner-role
+ name: cephfs-csi-nodeplugin-role
subjects:
- kind: ServiceAccount
- name: rook-csi-cephfs-provisioner-sa
+ name: rook-csi-cephfs-plugin-sa
namespace: default # namespace:operator
roleRef:
kind: ClusterRole
- name: cephfs-external-provisioner-runner
+ name: cephfs-csi-nodeplugin
apiGroup: rbac.authorization.k8s.io
---
# Source: rook-ceph/templates/clusterrolebinding.yaml
@@ -984,81 +916,24 @@
name: rbd-external-provisioner-runner
apiGroup: rbac.authorization.k8s.io
---
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-ceph-system-psp
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-system
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
+# Source: rook-ceph/templates/clusterrolebinding.yaml
+# RBAC for ceph cosi driver service account
kind: ClusterRoleBinding
-metadata:
- name: rook-csi-cephfs-provisioner-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-cephfs-provisioner-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
metadata:
- name: rook-csi-cephfs-plugin-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
+ name: objectstorage-provisioner-role-binding
+ labels:
+ app.kubernetes.io/part-of: container-object-storage-interface
+ app.kubernetes.io/component: driver-ceph
+ app.kubernetes.io/name: cosi-driver-ceph
subjects:
- kind: ServiceAccount
- name: rook-csi-cephfs-plugin-sa
+ name: objectstorage-provisioner
namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-rbd-plugin-sa-psp
roleRef:
- apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-rbd-plugin-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-rbd-provisioner-sa-psp
-roleRef:
+ name: objectstorage-provisioner-role
apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-rbd-provisioner-sa
- namespace: default # namespace:operator
---
# Source: rook-ceph/templates/cluster-rbac.yaml
kind: Role
@@ -1068,10 +943,10 @@
namespace: default # namespace:cluster
rules:
# this is needed for rook's "key-management" CLI to fetch the vault token from the secret when
- # validating the connection details
+ # validating the connection details and for key rotation operations.
- apiGroups: [""]
resources: ["secrets"]
- verbs: ["get"]
+ verbs: ["get", "update"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
@@ -1131,9 +1006,31 @@
- apiGroups:
- ceph.rook.io
resources:
- - "*"
+ - cephclients
+ - cephclusters
+ - cephblockpools
+ - cephfilesystems
+ - cephnfses
+ - cephobjectstores
+ - cephobjectstoreusers
+ - cephobjectrealms
+ - cephobjectzonegroups
+ - cephobjectzones
+ - cephbuckettopics
+ - cephbucketnotifications
+ - cephrbdmirrors
+ - cephfilesystemmirrors
+ - cephfilesystemsubvolumegroups
+ - cephblockpoolradosnamespaces
+ - cephcosidrivers
verbs:
- - "*"
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - delete
+ - patch
- apiGroups:
- apps
resources:
@@ -1269,6 +1166,7 @@
- create
- update
- delete
+ - deletecollection
- apiGroups:
- batch
resources:
@@ -1284,6 +1182,13 @@
- get
- create
- delete
+ - apiGroups:
+ - multicluster.x-k8s.io
+ resources:
+ - serviceexports
+ verbs:
+ - get
+ - create
---
# Source: rook-ceph/templates/role.yaml
kind: Role
@@ -1292,12 +1197,6 @@
name: cephfs-external-provisioner-cfg
namespace: default # namespace:operator
rules:
- - apiGroups: [""]
- resources: ["endpoints"]
- verbs: ["get", "watch", "list", "delete", "update", "create"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list", "create", "delete"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
@@ -1309,113 +1208,11 @@
name: rbd-external-provisioner-cfg
namespace: default # namespace:operator
rules:
- - apiGroups: [""]
- resources: ["endpoints"]
- verbs: ["get", "watch", "list", "delete", "update", "create"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list", "watch", "create", "delete", "update"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
---
# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-default-psp
- namespace: default # namespace:cluster
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: default
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-rgw-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-rgw
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-mgr-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-mgr
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-cmd-reporter-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-cmd-reporter
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-purge-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-purge-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
# Allow the operator to create resources in this cluster's namespace
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@@ -1615,6 +1412,7 @@
kind: Deployment
metadata:
name: rook-ceph-operator
+ namespace: default # namespace:operator
labels:
operator: rook
storage-backend: ceph
@@ -1633,35 +1431,37 @@
labels:
app: rook-ceph-operator
spec:
+ tolerations:
+ - effect: NoExecute
+ key: node.kubernetes.io/unreachable
+ operator: Exists
+ tolerationSeconds: 5
containers:
- name: rook-ceph-operator
- image: "rook/ceph:v1.9.7"
+ image: "rook/ceph:v1.13.0"
imagePullPolicy: IfNotPresent
args: ["ceph", "operator"]
securityContext:
+ capabilities:
+ drop:
+ - ALL
+ runAsGroup: 2016
runAsNonRoot: true
runAsUser: 2016
- runAsGroup: 2016
volumeMounts:
- mountPath: /var/lib/rook
name: rook-config
- mountPath: /etc/ceph
name: default-config-dir
- - mountPath: /etc/webhook
- name: webhook-cert
env:
- name: ROOK_CURRENT_NAMESPACE_ONLY
value: "false"
- name: ROOK_HOSTPATH_REQUIRES_PRIVILEGED
value: "false"
- - name: ROOK_ENABLE_SELINUX_RELABELING
- value: "true"
- name: ROOK_DISABLE_DEVICE_HOTPLUG
value: "false"
- - name: ROOK_ENABLE_DISCOVERY_DAEMON
- value: "false"
- - name: ROOK_DISABLE_ADMISSION_CONTROLLER
- value: "false"
+ - name: ROOK_DISCOVER_DEVICES_INTERVAL
+ value: "60m"
- name: NODE_NAME
valueFrom:
fieldRef:
@@ -1687,5 +1487,7 @@
emptyDir: {}
- name: default-config-dir
emptyDir: {}
- - name: webhook-cert
- emptyDir: {}
+# Source: rook-ceph/templates/securityContextConstraints.yaml
+# scc for the Rook and Ceph daemons
+# for creating cluster in openshift
+--- |
|
Path: @@ -95,6 +95,7 @@
imageFormat: "2"
reclaimPolicy: Delete
allowVolumeExpansion: true
+volumeBindingMode: Immediate
---
# Source: rook-ceph-cluster/templates/rbac.yaml
# Allow the ceph mgr to access cluster-wide resources necessary for the mgr modules
@@ -134,10 +135,10 @@
namespace: default # namespace:cluster
rules:
# this is needed for rook's "key-management" CLI to fetch the vault token from the secret when
- # validating the connection details
+ # validating the connection details and for key rotation operations.
- apiGroups: [""]
resources: ["secrets"]
- verbs: ["get"]
+ verbs: ["get", "update"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
@@ -197,9 +198,31 @@
- apiGroups:
- ceph.rook.io
resources:
- - "*"
+ - cephclients
+ - cephclusters
+ - cephblockpools
+ - cephfilesystems
+ - cephnfses
+ - cephobjectstores
+ - cephobjectstoreusers
+ - cephobjectrealms
+ - cephobjectzonegroups
+ - cephobjectzones
+ - cephbuckettopics
+ - cephbucketnotifications
+ - cephrbdmirrors
+ - cephfilesystemmirrors
+ - cephfilesystemsubvolumegroups
+ - cephblockpoolradosnamespaces
+ - cephcosidrivers
verbs:
- - "*"
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - delete
+ - patch
- apiGroups:
- apps
resources:
@@ -294,102 +317,6 @@
- update
---
# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-default-psp
- namespace: default # namespace:cluster
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: default
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-rgw-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-rgw
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-mgr-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-mgr
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-cmd-reporter-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-cmd-reporter
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-purge-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-purge-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
# Allow the operator to create resources in this cluster's namespace
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@@ -536,11 +463,14 @@
---
---
+
+---
# Source: rook-ceph-cluster/templates/cephblockpool.yaml
apiVersion: ceph.rook.io/v1
kind: CephBlockPool
metadata:
name: ceph-blockpool
+ namespace: default # namespace:cluster
spec:
failureDomain: host
replicated:
@@ -551,12 +481,13 @@
kind: CephCluster
metadata:
name: default
+ namespace: default # namespace:cluster
spec:
monitoring:
enabled: true
cephVersion:
allowUnsupported: false
- image: quay.io/ceph/ceph:v16.2.9
+ image: quay.io/ceph/ceph:v17.2.6
cleanupPolicy:
allowUninstallWithVolumes: false
confirmation: ""
@@ -573,8 +504,6 @@
urlPrefix: /
dataDirHostPath: /var/lib/rook
disruptionManagement:
- machineDisruptionBudgetNamespace: openshift-machine-api
- manageMachineDisruptionBudgets: false
managePodBudgets: true
osdMaintenanceTimeout: 30
pgHealthCheckTimeout: 0
@@ -596,6 +525,10 @@
disabled: false
osd:
disabled: false
+ logCollector:
+ enabled: true
+ maxLogSize: 500M
+ periodicity: daily
mgr:
allowMultiplePerNode: false
count: 2
@@ -605,6 +538,13 @@
mon:
allowMultiplePerNode: false
count: 3
+ network:
+ connections:
+ compression:
+ enabled: false
+ encryption:
+ enabled: false
+ requireMsgr2: false
priorityClassNames:
mgr: system-cluster-critical
mon: system-node-critical
@@ -625,6 +565,13 @@
requests:
cpu: 100m
memory: 60Mi
+ exporter:
+ limits:
+ cpu: 250m
+ memory: 128Mi
+ requests:
+ cpu: 50m
+ memory: 50Mi
logcollector:
limits:
cpu: 500m
@@ -661,9 +608,6 @@
cpu: 1000m
memory: 4Gi
prepareosd:
- limits:
- cpu: 500m
- memory: 400Mi
requests:
cpu: 500m
memory: 50Mi |
renovate
bot
force-pushed
the
renovate/rook-ceph-suite
branch
from
4ca1e97 to
031c8a7
Compare
|
Path: @@ -95,6 +95,7 @@
imageFormat: "2"
reclaimPolicy: Delete
allowVolumeExpansion: true
+volumeBindingMode: Immediate
---
# Source: rook-ceph-cluster/templates/rbac.yaml
# Allow the ceph mgr to access cluster-wide resources necessary for the mgr modules
@@ -134,10 +135,10 @@
namespace: default # namespace:cluster
rules:
# this is needed for rook's "key-management" CLI to fetch the vault token from the secret when
- # validating the connection details
+ # validating the connection details and for key rotation operations.
- apiGroups: [""]
resources: ["secrets"]
- verbs: ["get"]
+ verbs: ["get", "update"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
@@ -197,9 +198,31 @@
- apiGroups:
- ceph.rook.io
resources:
- - "*"
+ - cephclients
+ - cephclusters
+ - cephblockpools
+ - cephfilesystems
+ - cephnfses
+ - cephobjectstores
+ - cephobjectstoreusers
+ - cephobjectrealms
+ - cephobjectzonegroups
+ - cephobjectzones
+ - cephbuckettopics
+ - cephbucketnotifications
+ - cephrbdmirrors
+ - cephfilesystemmirrors
+ - cephfilesystemsubvolumegroups
+ - cephblockpoolradosnamespaces
+ - cephcosidrivers
verbs:
- - "*"
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - delete
+ - patch
- apiGroups:
- apps
resources:
@@ -294,102 +317,6 @@
- update
---
# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-default-psp
- namespace: default # namespace:cluster
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: default
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-rgw-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-rgw
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-mgr-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-mgr
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-cmd-reporter-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-cmd-reporter
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-purge-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-purge-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
# Allow the operator to create resources in this cluster's namespace
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@@ -536,11 +463,14 @@
---
---
+
+---
# Source: rook-ceph-cluster/templates/cephblockpool.yaml
apiVersion: ceph.rook.io/v1
kind: CephBlockPool
metadata:
name: ceph-blockpool
+ namespace: default # namespace:cluster
spec:
failureDomain: host
replicated:
@@ -551,12 +481,13 @@
kind: CephCluster
metadata:
name: default
+ namespace: default # namespace:cluster
spec:
monitoring:
enabled: true
cephVersion:
allowUnsupported: false
- image: quay.io/ceph/ceph:v16.2.9
+ image: quay.io/ceph/ceph:v17.2.6
cleanupPolicy:
allowUninstallWithVolumes: false
confirmation: ""
@@ -573,8 +504,6 @@
urlPrefix: /
dataDirHostPath: /var/lib/rook
disruptionManagement:
- machineDisruptionBudgetNamespace: openshift-machine-api
- manageMachineDisruptionBudgets: false
managePodBudgets: true
osdMaintenanceTimeout: 30
pgHealthCheckTimeout: 0
@@ -596,6 +525,10 @@
disabled: false
osd:
disabled: false
+ logCollector:
+ enabled: true
+ maxLogSize: 500M
+ periodicity: daily
mgr:
allowMultiplePerNode: false
count: 2
@@ -605,6 +538,13 @@
mon:
allowMultiplePerNode: false
count: 3
+ network:
+ connections:
+ compression:
+ enabled: false
+ encryption:
+ enabled: false
+ requireMsgr2: false
priorityClassNames:
mgr: system-cluster-critical
mon: system-node-critical
@@ -625,6 +565,13 @@
requests:
cpu: 100m
memory: 60Mi
+ exporter:
+ limits:
+ cpu: 250m
+ memory: 128Mi
+ requests:
+ cpu: 50m
+ memory: 50Mi
logcollector:
limits:
cpu: 500m
@@ -661,9 +608,6 @@
cpu: 1000m
memory: 4Gi
prepareosd:
- limits:
- cpu: 500m
- memory: 400Mi
requests:
cpu: 500m
memory: 50Mi |
|
Path: @@ -1,86 +1,4 @@
---
-# Source: rook-ceph/templates/psp.yaml
-# We expect most Kubernetes teams to follow the Kubernetes docs and have these PSPs.
-# LICENSE README.md Taskfile.yml assets charts cluster containers default docs hack provision privileged (for kube-system namespace)
-# LICENSE README.md Taskfile.yml assets charts cluster containers default docs hack provision restricted (for all logged in users)
-#
-# PSPs are applied based on the first match alphabetically. `rook-ceph-operator` comes after
-# `restricted` alphabetically, so we name this `00-rook-privileged`, so it stays somewhere
-# close to the top and so `rook-system` gets the intended PSP. This may need to be renamed in
-# environments with other `00`-prefixed PSPs.
-#
-# More on PSP ordering: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#policy-order
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
- name: 00-rook-privileged
- annotations:
- seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
- seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
-spec:
- privileged: true
- allowedCapabilities:
- # required by CSI
- - SYS_ADMIN
- - MKNOD
- fsGroup:
- rule: RunAsAny
- # runAsUser, supplementalGroups - Rook needs to run some pods as root
- # Ceph pods could be run as the Ceph user, but that user isn't always known ahead of time
- runAsUser:
- rule: RunAsAny
- supplementalGroups:
- rule: RunAsAny
- # seLinux - seLinux context is unknown ahead of time; set if this is well-known
- seLinux:
- rule: RunAsAny
- volumes:
- # recommended minimum set
- - configMap
- - downwardAPI
- - emptyDir
- - persistentVolumeClaim
- - secret
- - projected
- # required for Rook
- - hostPath
- # allowedHostPaths can be set to Rook's known host volume mount points when they are fully-known
- # allowedHostPaths:
- # - pathPrefix: "/run/udev" # for OSD prep
- # readOnly: false
- # - pathPrefix: "/dev" # for OSD prep
- # readOnly: false
- # - pathPrefix: "/var/lib/rook" # or whatever the dataDirHostPath value is set to
- # readOnly: false
- # Ceph requires host IPC for setting up encrypted devices
- hostIPC: true
- # Ceph OSDs need to share the same PID namespace
- hostPID: true
- # hostNetwork can be set to 'false' if host networking isn't used
- hostNetwork: true
- hostPorts:
- # Ceph messenger protocol v1
- - min: 6789
- max: 6790 # <- support old default port
- # Ceph messenger protocol v2
- - min: 3300
- max: 3300
- # Ceph RADOS ports for OSDs, MDSes
- - min: 6800
- max: 7300
- # # Ceph dashboard port HTTP (not recommended)
- # - min: 7000
- # max: 7000
- # Ceph dashboard port HTTPS
- - min: 8443
- max: 8443
- # Ceph mgr Prometheus Metrics
- - min: 9283
- max: 9283
- # port for CSIAddons
- - min: 9070
- max: 9070
----
# Source: rook-ceph/templates/cluster-rbac.yaml
# Service account for Ceph OSDs
apiVersion: v1
@@ -211,6 +129,20 @@
# imagePullSecrets:
# - name: my-registry-secret
---
+# Source: rook-ceph/templates/serviceaccount.yaml
+# Service account for Ceph COSI driver
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: objectstorage-provisioner
+ namespace: default # namespace:operator
+ labels:
+ app.kubernetes.io/part-of: container-object-storage-interface
+ app.kubernetes.io/component: driver-ceph
+ app.kubernetes.io/name: cosi-driver-ceph
+# imagePullSecrets:
+# - name: my-registry-secret
+---
# Source: rook-ceph/templates/configmap.yaml
# Operator settings that can be updated without an operator restart
# Operator settings that require an operator restart are found in the operator env vars
@@ -218,26 +150,33 @@
apiVersion: v1
metadata:
name: rook-ceph-operator-config
+ namespace: default # namespace:operator
data:
ROOK_LOG_LEVEL: "INFO"
ROOK_CEPH_COMMANDS_TIMEOUT_SECONDS: "15"
ROOK_OBC_WATCH_OPERATOR_NAMESPACE: "true"
+ ROOK_CEPH_ALLOW_LOOP_DEVICES: "false"
+ ROOK_ENABLE_DISCOVERY_DAEMON: "false"
ROOK_CSI_ENABLE_RBD: "true"
ROOK_CSI_ENABLE_CEPHFS: "false"
CSI_ENABLE_CEPHFS_SNAPSHOTTER: "false"
+ CSI_ENABLE_NFS_SNAPSHOTTER: "true"
CSI_ENABLE_RBD_SNAPSHOTTER: "true"
CSI_PLUGIN_ENABLE_SELINUX_HOST_MOUNT: "false"
CSI_ENABLE_ENCRYPTION: "false"
CSI_ENABLE_OMAP_GENERATOR: "false"
CSI_ENABLE_HOST_NETWORK: "true"
+ CSI_ENABLE_METADATA: "false"
CSI_PLUGIN_PRIORITY_CLASSNAME: "system-node-critical"
CSI_PROVISIONER_PRIORITY_CLASSNAME: "system-cluster-critical"
- CSI_RBD_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
- CSI_CEPHFS_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
- CSI_NFS_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
- ROOK_CSI_ENABLE_GRPC_METRICS: "false"
- CSI_ENABLE_VOLUME_REPLICATION: "false"
+ CSI_RBD_FSGROUPPOLICY: "File"
+ CSI_CEPHFS_FSGROUPPOLICY: "File"
+ CSI_NFS_FSGROUPPOLICY: "File"
+ ROOK_CSI_IMAGE_PULL_POLICY: "IfNotPresent"
CSI_ENABLE_CSIADDONS: "false"
+ ROOK_CSIADDONS_IMAGE: "quay.io/csiaddons/k8s-sidecar:v0.8.0"
+ CSI_ENABLE_TOPOLOGY: "false"
+ CSI_ENABLE_READ_AFFINITY: "false"
ROOK_CSI_ENABLE_NFS: "false"
CSI_FORCE_CEPHFS_KERNEL_CLIENT: "true"
CSI_GRPC_TIMEOUT_SECONDS: "150"
@@ -246,8 +185,11 @@
CSI_RBD_PLUGIN_RESOURCE: "- name : driver-registrar\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n- name : csi-rbdplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n- name : liveness-prometheus\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n"
CSI_CEPHFS_PROVISIONER_RESOURCE: "- name : csi-provisioner\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-resizer\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-attacher\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-snapshotter\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-cephfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n- name : liveness-prometheus\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n"
CSI_CEPHFS_PLUGIN_RESOURCE: "- name : driver-registrar\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n- name : csi-cephfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n- name : liveness-prometheus\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n"
- CSI_NFS_PROVISIONER_RESOURCE: "- name : csi-provisioner\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-nfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n"
+ CSI_NFS_PROVISIONER_RESOURCE: "- name : csi-provisioner\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-nfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n- name : csi-attacher\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n"
CSI_NFS_PLUGIN_RESOURCE: "- name : driver-registrar\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n- name : csi-nfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n"
+ CSI_CEPHFS_ATTACH_REQUIRED: "true"
+ CSI_RBD_ATTACH_REQUIRED: "true"
+ CSI_NFS_ATTACH_REQUIRED: "true"
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -271,9 +213,12 @@
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
- - apiGroups: ["admissionregistration.k8s.io"]
- resources: ["validatingwebhookconfigurations"]
- verbs: ["create", "get", "delete", "update"]
+ - apiGroups: ["csiaddons.openshift.io"]
+ resources: ["networkfences"]
+ verbs: ["create", "get", "update", "delete", "watch", "list"]
+ - apiGroups: ["apiextensions.k8s.io"]
+ resources: ["customresourcedefinitions"]
+ verbs: ["get"]
---
# Source: rook-ceph/templates/clusterrole.yaml
# The cluster role for managing all the cluster-specific resources in a namespace
@@ -332,9 +277,8 @@
# Node access is needed for determining nodes where mons should run
- nodes
- nodes/proxy
- - services
# Rook watches secrets which it uses to configure access to external resources.
- # e.g., external Ceph cluster; TLS certificates for the admission controller or object store
+ # e.g., external Ceph cluster or object store
- secrets
# Rook watches for changes to the rook-operator-config configmap
- configmaps
@@ -352,6 +296,7 @@
- persistentvolumeclaims
# Rook creates endpoints for mgr and object store access
- endpoints
+ - services
verbs:
- get
- list
@@ -380,6 +325,7 @@
- create
- update
- delete
+ - deletecollection
# The Rook operator must be able to watch all ceph.rook.io resources to reconcile them.
- apiGroups: ["ceph.rook.io"]
resources:
@@ -399,6 +345,7 @@
- cephfilesystemmirrors
- cephfilesystemsubvolumegroups
- cephblockpoolradosnamespaces
+ - cephcosidrivers
verbs:
- get
- list
@@ -467,6 +414,14 @@
- delete
- deletecollection
- apiGroups:
+ - apps
+ resources:
+ # This is to add osd deployment owner ref on key rotation
+ # cron jobs.
+ - deployments/finalizers
+ verbs:
+ - update
+ - apiGroups:
- healthchecking.openshift.io
resources:
- machinedisruptionbudgets
@@ -651,19 +606,7 @@
rules:
- apiGroups: [""]
resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["namespaces"]
- verbs: ["get", "list"]
- - apiGroups: [""]
- resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: ["storage.k8s.io"]
- resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list"]
+ verbs: ["get"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -675,11 +618,14 @@
resources: ["secrets"]
verbs: ["get", "list"]
- apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
+ verbs: ["get", "list", "watch", "create", "delete", "patch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
@@ -688,30 +634,24 @@
verbs: ["list", "watch", "create", "update", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update", "patch"]
+ verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments/status"]
verbs: ["patch"]
- apiGroups: [""]
- resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
resources: ["persistentvolumeclaims/status"]
- verbs: ["update", "patch"]
+ verbs: ["patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
- verbs: ["get", "list", "watch", "update", "patch"]
- - apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents"]
- verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
+ verbs: ["get", "list"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents/status"]
- verbs: ["update", "patch"]
+ resources: ["volumesnapshotcontents"]
+ verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshots/status"]
+ resources: ["volumesnapshotcontents/status"]
verbs: ["update", "patch"]
---
# Source: rook-ceph/templates/clusterrole.yaml
@@ -730,26 +670,23 @@
resources: ["secrets"]
verbs: ["get", "list"]
- apiGroups: [""]
- resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["namespaces"]
- verbs: ["get", "list"]
- - apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list"]
- apiGroups: [""]
resources: ["configmaps"]
- verbs: ["get", "list"]
+ verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
+ - apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -762,13 +699,19 @@
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
+ verbs: ["get", "list", "watch", "create", "delete", "patch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["storage.k8s.io"]
+ resources: ["storageclasses"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["list", "watch", "create", "update", "patch"]
+ - apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update", "patch"]
+ verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments/status"]
verbs: ["patch"]
@@ -776,71 +719,58 @@
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["storage.k8s.io"]
- resources: ["storageclasses"]
+ resources: ["csinodes"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
- resources: ["events"]
- verbs: ["list", "watch", "create", "update", "patch"]
+ resources: ["persistentvolumeclaims/status"]
+ verbs: ["patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
- verbs: ["get", "list", "watch", "update", "patch"]
- - apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents"]
- verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
+ verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents/status"]
- verbs: ["update", "patch"]
+ resources: ["volumesnapshotcontents"]
+ verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshots/status"]
- verbs: ["update", "patch"]
- - apiGroups: [""]
- resources: ["persistentvolumeclaims/status"]
+ resources: ["volumesnapshotcontents/status"]
verbs: ["update", "patch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications", "volumereplicationclasses"]
- verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications/finalizers"]
- verbs: ["update"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications/status"]
- verbs: ["get", "patch", "update"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplicationclasses/status"]
- verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
+ - apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["storage.k8s.io"]
+ resources: ["csinodes"]
+ verbs: ["get", "list", "watch"]
---
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
+# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
metadata:
- name: 'psp:rook'
+ name: objectstorage-provisioner-role
labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/created-by: helm
-rules:
- - apiGroups:
- - policy
- resources:
- - podsecuritypolicies
- resourceNames:
- - 00-rook-privileged
- verbs:
- - use
+ app.kubernetes.io/part-of: container-object-storage-interface
+ app.kubernetes.io/component: driver-ceph
+ app.kubernetes.io/name: cosi-driver-ceph
+rules:
+ - apiGroups: ["objectstorage.k8s.io"]
+ resources: ["buckets", "bucketaccesses", "bucketclaims", "bucketaccessclasses", "buckets/status", "bucketaccesses/status", "bucketclaims/status", "bucketaccessclasses/status"]
+ verbs: ["get", "list", "watch", "update", "create", "delete"]
+ - apiGroups: ["coordination.k8s.io"]
+ resources: ["leases"]
+ verbs: ["get", "watch", "list", "delete", "update", "create"]
+ - apiGroups: [""]
+ resources: ["secrets", "events"]
+ verbs: ["get", "delete", "update", "create"]
---
# Source: rook-ceph/templates/cluster-rbac.yaml
# Allow the ceph mgr to access cluster-wide resources necessary for the mgr modules
@@ -946,28 +876,30 @@
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
- name: cephfs-csi-nodeplugin
+ name: cephfs-csi-provisioner-role
subjects:
- kind: ServiceAccount
- name: rook-csi-cephfs-plugin-sa
+ name: rook-csi-cephfs-provisioner-sa
namespace: default # namespace:operator
roleRef:
kind: ClusterRole
- name: cephfs-csi-nodeplugin
+ name: cephfs-external-provisioner-runner
apiGroup: rbac.authorization.k8s.io
---
# Source: rook-ceph/templates/clusterrolebinding.yaml
+# This is required by operator-sdk to map the cluster/clusterrolebindings with SA
+# otherwise operator-sdk will create a individual file for these.
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
- name: cephfs-csi-provisioner-role
+ name: cephfs-csi-nodeplugin-role
subjects:
- kind: ServiceAccount
- name: rook-csi-cephfs-provisioner-sa
+ name: rook-csi-cephfs-plugin-sa
namespace: default # namespace:operator
roleRef:
kind: ClusterRole
- name: cephfs-external-provisioner-runner
+ name: cephfs-csi-nodeplugin
apiGroup: rbac.authorization.k8s.io
---
# Source: rook-ceph/templates/clusterrolebinding.yaml
@@ -984,81 +916,24 @@
name: rbd-external-provisioner-runner
apiGroup: rbac.authorization.k8s.io
---
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-ceph-system-psp
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-system
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
+# Source: rook-ceph/templates/clusterrolebinding.yaml
+# RBAC for ceph cosi driver service account
kind: ClusterRoleBinding
-metadata:
- name: rook-csi-cephfs-provisioner-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-cephfs-provisioner-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
metadata:
- name: rook-csi-cephfs-plugin-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
+ name: objectstorage-provisioner-role-binding
+ labels:
+ app.kubernetes.io/part-of: container-object-storage-interface
+ app.kubernetes.io/component: driver-ceph
+ app.kubernetes.io/name: cosi-driver-ceph
subjects:
- kind: ServiceAccount
- name: rook-csi-cephfs-plugin-sa
+ name: objectstorage-provisioner
namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-rbd-plugin-sa-psp
roleRef:
- apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-rbd-plugin-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-rbd-provisioner-sa-psp
-roleRef:
+ name: objectstorage-provisioner-role
apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-rbd-provisioner-sa
- namespace: default # namespace:operator
---
# Source: rook-ceph/templates/cluster-rbac.yaml
kind: Role
@@ -1068,10 +943,10 @@
namespace: default # namespace:cluster
rules:
# this is needed for rook's "key-management" CLI to fetch the vault token from the secret when
- # validating the connection details
+ # validating the connection details and for key rotation operations.
- apiGroups: [""]
resources: ["secrets"]
- verbs: ["get"]
+ verbs: ["get", "update"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
@@ -1131,9 +1006,31 @@
- apiGroups:
- ceph.rook.io
resources:
- - "*"
+ - cephclients
+ - cephclusters
+ - cephblockpools
+ - cephfilesystems
+ - cephnfses
+ - cephobjectstores
+ - cephobjectstoreusers
+ - cephobjectrealms
+ - cephobjectzonegroups
+ - cephobjectzones
+ - cephbuckettopics
+ - cephbucketnotifications
+ - cephrbdmirrors
+ - cephfilesystemmirrors
+ - cephfilesystemsubvolumegroups
+ - cephblockpoolradosnamespaces
+ - cephcosidrivers
verbs:
- - "*"
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - delete
+ - patch
- apiGroups:
- apps
resources:
@@ -1269,6 +1166,7 @@
- create
- update
- delete
+ - deletecollection
- apiGroups:
- batch
resources:
@@ -1284,6 +1182,13 @@
- get
- create
- delete
+ - apiGroups:
+ - multicluster.x-k8s.io
+ resources:
+ - serviceexports
+ verbs:
+ - get
+ - create
---
# Source: rook-ceph/templates/role.yaml
kind: Role
@@ -1292,12 +1197,6 @@
name: cephfs-external-provisioner-cfg
namespace: default # namespace:operator
rules:
- - apiGroups: [""]
- resources: ["endpoints"]
- verbs: ["get", "watch", "list", "delete", "update", "create"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list", "create", "delete"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
@@ -1309,113 +1208,11 @@
name: rbd-external-provisioner-cfg
namespace: default # namespace:operator
rules:
- - apiGroups: [""]
- resources: ["endpoints"]
- verbs: ["get", "watch", "list", "delete", "update", "create"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list", "watch", "create", "delete", "update"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
---
# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-default-psp
- namespace: default # namespace:cluster
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: default
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-rgw-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-rgw
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-mgr-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-mgr
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-cmd-reporter-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-cmd-reporter
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-purge-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-purge-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
# Allow the operator to create resources in this cluster's namespace
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@@ -1615,6 +1412,7 @@
kind: Deployment
metadata:
name: rook-ceph-operator
+ namespace: default # namespace:operator
labels:
operator: rook
storage-backend: ceph
@@ -1633,35 +1431,37 @@
labels:
app: rook-ceph-operator
spec:
+ tolerations:
+ - effect: NoExecute
+ key: node.kubernetes.io/unreachable
+ operator: Exists
+ tolerationSeconds: 5
containers:
- name: rook-ceph-operator
- image: "rook/ceph:v1.9.7"
+ image: "rook/ceph:v1.13.1"
imagePullPolicy: IfNotPresent
args: ["ceph", "operator"]
securityContext:
+ capabilities:
+ drop:
+ - ALL
+ runAsGroup: 2016
runAsNonRoot: true
runAsUser: 2016
- runAsGroup: 2016
volumeMounts:
- mountPath: /var/lib/rook
name: rook-config
- mountPath: /etc/ceph
name: default-config-dir
- - mountPath: /etc/webhook
- name: webhook-cert
env:
- name: ROOK_CURRENT_NAMESPACE_ONLY
value: "false"
- name: ROOK_HOSTPATH_REQUIRES_PRIVILEGED
value: "false"
- - name: ROOK_ENABLE_SELINUX_RELABELING
- value: "true"
- name: ROOK_DISABLE_DEVICE_HOTPLUG
value: "false"
- - name: ROOK_ENABLE_DISCOVERY_DAEMON
- value: "false"
- - name: ROOK_DISABLE_ADMISSION_CONTROLLER
- value: "false"
+ - name: ROOK_DISCOVER_DEVICES_INTERVAL
+ value: "60m"
- name: NODE_NAME
valueFrom:
fieldRef:
@@ -1687,5 +1487,7 @@
emptyDir: {}
- name: default-config-dir
emptyDir: {}
- - name: webhook-cert
- emptyDir: {}
+# Source: rook-ceph/templates/securityContextConstraints.yaml
+# scc for the Rook and Ceph daemons
+# for creating cluster in openshift
+--- |
renovate
bot
force-pushed
the
renovate/rook-ceph-suite
branch
from
031c8a7 to
ce13f5a
Compare
|
Path: @@ -95,6 +95,7 @@
imageFormat: "2"
reclaimPolicy: Delete
allowVolumeExpansion: true
+volumeBindingMode: Immediate
---
# Source: rook-ceph-cluster/templates/rbac.yaml
# Allow the ceph mgr to access cluster-wide resources necessary for the mgr modules
@@ -134,10 +135,10 @@
namespace: default # namespace:cluster
rules:
# this is needed for rook's "key-management" CLI to fetch the vault token from the secret when
- # validating the connection details
+ # validating the connection details and for key rotation operations.
- apiGroups: [""]
resources: ["secrets"]
- verbs: ["get"]
+ verbs: ["get", "update"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
@@ -197,9 +198,31 @@
- apiGroups:
- ceph.rook.io
resources:
- - "*"
+ - cephclients
+ - cephclusters
+ - cephblockpools
+ - cephfilesystems
+ - cephnfses
+ - cephobjectstores
+ - cephobjectstoreusers
+ - cephobjectrealms
+ - cephobjectzonegroups
+ - cephobjectzones
+ - cephbuckettopics
+ - cephbucketnotifications
+ - cephrbdmirrors
+ - cephfilesystemmirrors
+ - cephfilesystemsubvolumegroups
+ - cephblockpoolradosnamespaces
+ - cephcosidrivers
verbs:
- - "*"
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - delete
+ - patch
- apiGroups:
- apps
resources:
@@ -294,102 +317,6 @@
- update
---
# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-default-psp
- namespace: default # namespace:cluster
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: default
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-rgw-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-rgw
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-mgr-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-mgr
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-cmd-reporter-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-cmd-reporter
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-purge-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-purge-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
# Allow the operator to create resources in this cluster's namespace
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@@ -536,11 +463,14 @@
---
---
+
+---
# Source: rook-ceph-cluster/templates/cephblockpool.yaml
apiVersion: ceph.rook.io/v1
kind: CephBlockPool
metadata:
name: ceph-blockpool
+ namespace: default # namespace:cluster
spec:
failureDomain: host
replicated:
@@ -551,12 +481,13 @@
kind: CephCluster
metadata:
name: default
+ namespace: default # namespace:cluster
spec:
monitoring:
enabled: true
cephVersion:
allowUnsupported: false
- image: quay.io/ceph/ceph:v16.2.9
+ image: quay.io/ceph/ceph:v17.2.6
cleanupPolicy:
allowUninstallWithVolumes: false
confirmation: ""
@@ -573,8 +504,6 @@
urlPrefix: /
dataDirHostPath: /var/lib/rook
disruptionManagement:
- machineDisruptionBudgetNamespace: openshift-machine-api
- manageMachineDisruptionBudgets: false
managePodBudgets: true
osdMaintenanceTimeout: 30
pgHealthCheckTimeout: 0
@@ -596,6 +525,10 @@
disabled: false
osd:
disabled: false
+ logCollector:
+ enabled: true
+ maxLogSize: 500M
+ periodicity: daily
mgr:
allowMultiplePerNode: false
count: 2
@@ -605,6 +538,13 @@
mon:
allowMultiplePerNode: false
count: 3
+ network:
+ connections:
+ compression:
+ enabled: false
+ encryption:
+ enabled: false
+ requireMsgr2: false
priorityClassNames:
mgr: system-cluster-critical
mon: system-node-critical
@@ -625,6 +565,13 @@
requests:
cpu: 100m
memory: 60Mi
+ exporter:
+ limits:
+ cpu: 250m
+ memory: 128Mi
+ requests:
+ cpu: 50m
+ memory: 50Mi
logcollector:
limits:
cpu: 500m
@@ -661,9 +608,6 @@
cpu: 1000m
memory: 4Gi
prepareosd:
- limits:
- cpu: 500m
- memory: 400Mi
requests:
cpu: 500m
memory: 50Mi |
|
Path: @@ -1,86 +1,4 @@
---
-# Source: rook-ceph/templates/psp.yaml
-# We expect most Kubernetes teams to follow the Kubernetes docs and have these PSPs.
-# LICENSE README.md Taskfile.yml assets charts cluster containers default docs hack provision privileged (for kube-system namespace)
-# LICENSE README.md Taskfile.yml assets charts cluster containers default docs hack provision restricted (for all logged in users)
-#
-# PSPs are applied based on the first match alphabetically. `rook-ceph-operator` comes after
-# `restricted` alphabetically, so we name this `00-rook-privileged`, so it stays somewhere
-# close to the top and so `rook-system` gets the intended PSP. This may need to be renamed in
-# environments with other `00`-prefixed PSPs.
-#
-# More on PSP ordering: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#policy-order
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
- name: 00-rook-privileged
- annotations:
- seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
- seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
-spec:
- privileged: true
- allowedCapabilities:
- # required by CSI
- - SYS_ADMIN
- - MKNOD
- fsGroup:
- rule: RunAsAny
- # runAsUser, supplementalGroups - Rook needs to run some pods as root
- # Ceph pods could be run as the Ceph user, but that user isn't always known ahead of time
- runAsUser:
- rule: RunAsAny
- supplementalGroups:
- rule: RunAsAny
- # seLinux - seLinux context is unknown ahead of time; set if this is well-known
- seLinux:
- rule: RunAsAny
- volumes:
- # recommended minimum set
- - configMap
- - downwardAPI
- - emptyDir
- - persistentVolumeClaim
- - secret
- - projected
- # required for Rook
- - hostPath
- # allowedHostPaths can be set to Rook's known host volume mount points when they are fully-known
- # allowedHostPaths:
- # - pathPrefix: "/run/udev" # for OSD prep
- # readOnly: false
- # - pathPrefix: "/dev" # for OSD prep
- # readOnly: false
- # - pathPrefix: "/var/lib/rook" # or whatever the dataDirHostPath value is set to
- # readOnly: false
- # Ceph requires host IPC for setting up encrypted devices
- hostIPC: true
- # Ceph OSDs need to share the same PID namespace
- hostPID: true
- # hostNetwork can be set to 'false' if host networking isn't used
- hostNetwork: true
- hostPorts:
- # Ceph messenger protocol v1
- - min: 6789
- max: 6790 # <- support old default port
- # Ceph messenger protocol v2
- - min: 3300
- max: 3300
- # Ceph RADOS ports for OSDs, MDSes
- - min: 6800
- max: 7300
- # # Ceph dashboard port HTTP (not recommended)
- # - min: 7000
- # max: 7000
- # Ceph dashboard port HTTPS
- - min: 8443
- max: 8443
- # Ceph mgr Prometheus Metrics
- - min: 9283
- max: 9283
- # port for CSIAddons
- - min: 9070
- max: 9070
----
# Source: rook-ceph/templates/cluster-rbac.yaml
# Service account for Ceph OSDs
apiVersion: v1
@@ -211,6 +129,20 @@
# imagePullSecrets:
# - name: my-registry-secret
---
+# Source: rook-ceph/templates/serviceaccount.yaml
+# Service account for Ceph COSI driver
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: objectstorage-provisioner
+ namespace: default # namespace:operator
+ labels:
+ app.kubernetes.io/part-of: container-object-storage-interface
+ app.kubernetes.io/component: driver-ceph
+ app.kubernetes.io/name: cosi-driver-ceph
+# imagePullSecrets:
+# - name: my-registry-secret
+---
# Source: rook-ceph/templates/configmap.yaml
# Operator settings that can be updated without an operator restart
# Operator settings that require an operator restart are found in the operator env vars
@@ -218,26 +150,33 @@
apiVersion: v1
metadata:
name: rook-ceph-operator-config
+ namespace: default # namespace:operator
data:
ROOK_LOG_LEVEL: "INFO"
ROOK_CEPH_COMMANDS_TIMEOUT_SECONDS: "15"
ROOK_OBC_WATCH_OPERATOR_NAMESPACE: "true"
+ ROOK_CEPH_ALLOW_LOOP_DEVICES: "false"
+ ROOK_ENABLE_DISCOVERY_DAEMON: "false"
ROOK_CSI_ENABLE_RBD: "true"
ROOK_CSI_ENABLE_CEPHFS: "false"
CSI_ENABLE_CEPHFS_SNAPSHOTTER: "false"
+ CSI_ENABLE_NFS_SNAPSHOTTER: "true"
CSI_ENABLE_RBD_SNAPSHOTTER: "true"
CSI_PLUGIN_ENABLE_SELINUX_HOST_MOUNT: "false"
CSI_ENABLE_ENCRYPTION: "false"
CSI_ENABLE_OMAP_GENERATOR: "false"
CSI_ENABLE_HOST_NETWORK: "true"
+ CSI_ENABLE_METADATA: "false"
CSI_PLUGIN_PRIORITY_CLASSNAME: "system-node-critical"
CSI_PROVISIONER_PRIORITY_CLASSNAME: "system-cluster-critical"
- CSI_RBD_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
- CSI_CEPHFS_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
- CSI_NFS_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
- ROOK_CSI_ENABLE_GRPC_METRICS: "false"
- CSI_ENABLE_VOLUME_REPLICATION: "false"
+ CSI_RBD_FSGROUPPOLICY: "File"
+ CSI_CEPHFS_FSGROUPPOLICY: "File"
+ CSI_NFS_FSGROUPPOLICY: "File"
+ ROOK_CSI_IMAGE_PULL_POLICY: "IfNotPresent"
CSI_ENABLE_CSIADDONS: "false"
+ ROOK_CSIADDONS_IMAGE: "quay.io/csiaddons/k8s-sidecar:v0.8.0"
+ CSI_ENABLE_TOPOLOGY: "false"
+ CSI_ENABLE_READ_AFFINITY: "false"
ROOK_CSI_ENABLE_NFS: "false"
CSI_FORCE_CEPHFS_KERNEL_CLIENT: "true"
CSI_GRPC_TIMEOUT_SECONDS: "150"
@@ -246,8 +185,11 @@
CSI_RBD_PLUGIN_RESOURCE: "- name : driver-registrar\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n- name : csi-rbdplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n- name : liveness-prometheus\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n"
CSI_CEPHFS_PROVISIONER_RESOURCE: "- name : csi-provisioner\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-resizer\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-attacher\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-snapshotter\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-cephfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n- name : liveness-prometheus\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n"
CSI_CEPHFS_PLUGIN_RESOURCE: "- name : driver-registrar\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n- name : csi-cephfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n- name : liveness-prometheus\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n"
- CSI_NFS_PROVISIONER_RESOURCE: "- name : csi-provisioner\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-nfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n"
+ CSI_NFS_PROVISIONER_RESOURCE: "- name : csi-provisioner\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-nfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n- name : csi-attacher\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n"
CSI_NFS_PLUGIN_RESOURCE: "- name : driver-registrar\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n- name : csi-nfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n"
+ CSI_CEPHFS_ATTACH_REQUIRED: "true"
+ CSI_RBD_ATTACH_REQUIRED: "true"
+ CSI_NFS_ATTACH_REQUIRED: "true"
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -271,9 +213,12 @@
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
- - apiGroups: ["admissionregistration.k8s.io"]
- resources: ["validatingwebhookconfigurations"]
- verbs: ["create", "get", "delete", "update"]
+ - apiGroups: ["csiaddons.openshift.io"]
+ resources: ["networkfences"]
+ verbs: ["create", "get", "update", "delete", "watch", "list"]
+ - apiGroups: ["apiextensions.k8s.io"]
+ resources: ["customresourcedefinitions"]
+ verbs: ["get"]
---
# Source: rook-ceph/templates/clusterrole.yaml
# The cluster role for managing all the cluster-specific resources in a namespace
@@ -332,9 +277,8 @@
# Node access is needed for determining nodes where mons should run
- nodes
- nodes/proxy
- - services
# Rook watches secrets which it uses to configure access to external resources.
- # e.g., external Ceph cluster; TLS certificates for the admission controller or object store
+ # e.g., external Ceph cluster or object store
- secrets
# Rook watches for changes to the rook-operator-config configmap
- configmaps
@@ -352,6 +296,7 @@
- persistentvolumeclaims
# Rook creates endpoints for mgr and object store access
- endpoints
+ - services
verbs:
- get
- list
@@ -380,6 +325,7 @@
- create
- update
- delete
+ - deletecollection
# The Rook operator must be able to watch all ceph.rook.io resources to reconcile them.
- apiGroups: ["ceph.rook.io"]
resources:
@@ -399,6 +345,7 @@
- cephfilesystemmirrors
- cephfilesystemsubvolumegroups
- cephblockpoolradosnamespaces
+ - cephcosidrivers
verbs:
- get
- list
@@ -467,6 +414,14 @@
- delete
- deletecollection
- apiGroups:
+ - apps
+ resources:
+ # This is to add osd deployment owner ref on key rotation
+ # cron jobs.
+ - deployments/finalizers
+ verbs:
+ - update
+ - apiGroups:
- healthchecking.openshift.io
resources:
- machinedisruptionbudgets
@@ -651,19 +606,7 @@
rules:
- apiGroups: [""]
resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["namespaces"]
- verbs: ["get", "list"]
- - apiGroups: [""]
- resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: ["storage.k8s.io"]
- resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list"]
+ verbs: ["get"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -675,11 +618,14 @@
resources: ["secrets"]
verbs: ["get", "list"]
- apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
+ verbs: ["get", "list", "watch", "create", "delete", "patch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
@@ -688,30 +634,24 @@
verbs: ["list", "watch", "create", "update", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update", "patch"]
+ verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments/status"]
verbs: ["patch"]
- apiGroups: [""]
- resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
resources: ["persistentvolumeclaims/status"]
- verbs: ["update", "patch"]
+ verbs: ["patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
- verbs: ["get", "list", "watch", "update", "patch"]
- - apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents"]
- verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
+ verbs: ["get", "list"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents/status"]
- verbs: ["update", "patch"]
+ resources: ["volumesnapshotcontents"]
+ verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshots/status"]
+ resources: ["volumesnapshotcontents/status"]
verbs: ["update", "patch"]
---
# Source: rook-ceph/templates/clusterrole.yaml
@@ -730,26 +670,23 @@
resources: ["secrets"]
verbs: ["get", "list"]
- apiGroups: [""]
- resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["namespaces"]
- verbs: ["get", "list"]
- - apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list"]
- apiGroups: [""]
resources: ["configmaps"]
- verbs: ["get", "list"]
+ verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
+ - apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -762,13 +699,19 @@
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
+ verbs: ["get", "list", "watch", "create", "delete", "patch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["storage.k8s.io"]
+ resources: ["storageclasses"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["list", "watch", "create", "update", "patch"]
+ - apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update", "patch"]
+ verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments/status"]
verbs: ["patch"]
@@ -776,71 +719,58 @@
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["storage.k8s.io"]
- resources: ["storageclasses"]
+ resources: ["csinodes"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
- resources: ["events"]
- verbs: ["list", "watch", "create", "update", "patch"]
+ resources: ["persistentvolumeclaims/status"]
+ verbs: ["patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
- verbs: ["get", "list", "watch", "update", "patch"]
- - apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents"]
- verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
+ verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents/status"]
- verbs: ["update", "patch"]
+ resources: ["volumesnapshotcontents"]
+ verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshots/status"]
- verbs: ["update", "patch"]
- - apiGroups: [""]
- resources: ["persistentvolumeclaims/status"]
+ resources: ["volumesnapshotcontents/status"]
verbs: ["update", "patch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications", "volumereplicationclasses"]
- verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications/finalizers"]
- verbs: ["update"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications/status"]
- verbs: ["get", "patch", "update"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplicationclasses/status"]
- verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
+ - apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["storage.k8s.io"]
+ resources: ["csinodes"]
+ verbs: ["get", "list", "watch"]
---
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
+# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
metadata:
- name: 'psp:rook'
+ name: objectstorage-provisioner-role
labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/created-by: helm
-rules:
- - apiGroups:
- - policy
- resources:
- - podsecuritypolicies
- resourceNames:
- - 00-rook-privileged
- verbs:
- - use
+ app.kubernetes.io/part-of: container-object-storage-interface
+ app.kubernetes.io/component: driver-ceph
+ app.kubernetes.io/name: cosi-driver-ceph
+rules:
+ - apiGroups: ["objectstorage.k8s.io"]
+ resources: ["buckets", "bucketaccesses", "bucketclaims", "bucketaccessclasses", "buckets/status", "bucketaccesses/status", "bucketclaims/status", "bucketaccessclasses/status"]
+ verbs: ["get", "list", "watch", "update", "create", "delete"]
+ - apiGroups: ["coordination.k8s.io"]
+ resources: ["leases"]
+ verbs: ["get", "watch", "list", "delete", "update", "create"]
+ - apiGroups: [""]
+ resources: ["secrets", "events"]
+ verbs: ["get", "delete", "update", "create"]
---
# Source: rook-ceph/templates/cluster-rbac.yaml
# Allow the ceph mgr to access cluster-wide resources necessary for the mgr modules
@@ -946,28 +876,30 @@
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
- name: cephfs-csi-nodeplugin
+ name: cephfs-csi-provisioner-role
subjects:
- kind: ServiceAccount
- name: rook-csi-cephfs-plugin-sa
+ name: rook-csi-cephfs-provisioner-sa
namespace: default # namespace:operator
roleRef:
kind: ClusterRole
- name: cephfs-csi-nodeplugin
+ name: cephfs-external-provisioner-runner
apiGroup: rbac.authorization.k8s.io
---
# Source: rook-ceph/templates/clusterrolebinding.yaml
+# This is required by operator-sdk to map the cluster/clusterrolebindings with SA
+# otherwise operator-sdk will create a individual file for these.
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
- name: cephfs-csi-provisioner-role
+ name: cephfs-csi-nodeplugin-role
subjects:
- kind: ServiceAccount
- name: rook-csi-cephfs-provisioner-sa
+ name: rook-csi-cephfs-plugin-sa
namespace: default # namespace:operator
roleRef:
kind: ClusterRole
- name: cephfs-external-provisioner-runner
+ name: cephfs-csi-nodeplugin
apiGroup: rbac.authorization.k8s.io
---
# Source: rook-ceph/templates/clusterrolebinding.yaml
@@ -984,81 +916,24 @@
name: rbd-external-provisioner-runner
apiGroup: rbac.authorization.k8s.io
---
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-ceph-system-psp
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-system
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
+# Source: rook-ceph/templates/clusterrolebinding.yaml
+# RBAC for ceph cosi driver service account
kind: ClusterRoleBinding
-metadata:
- name: rook-csi-cephfs-provisioner-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-cephfs-provisioner-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
metadata:
- name: rook-csi-cephfs-plugin-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
+ name: objectstorage-provisioner-role-binding
+ labels:
+ app.kubernetes.io/part-of: container-object-storage-interface
+ app.kubernetes.io/component: driver-ceph
+ app.kubernetes.io/name: cosi-driver-ceph
subjects:
- kind: ServiceAccount
- name: rook-csi-cephfs-plugin-sa
+ name: objectstorage-provisioner
namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-rbd-plugin-sa-psp
roleRef:
- apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-rbd-plugin-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-rbd-provisioner-sa-psp
-roleRef:
+ name: objectstorage-provisioner-role
apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-rbd-provisioner-sa
- namespace: default # namespace:operator
---
# Source: rook-ceph/templates/cluster-rbac.yaml
kind: Role
@@ -1068,10 +943,10 @@
namespace: default # namespace:cluster
rules:
# this is needed for rook's "key-management" CLI to fetch the vault token from the secret when
- # validating the connection details
+ # validating the connection details and for key rotation operations.
- apiGroups: [""]
resources: ["secrets"]
- verbs: ["get"]
+ verbs: ["get", "update"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
@@ -1131,9 +1006,31 @@
- apiGroups:
- ceph.rook.io
resources:
- - "*"
+ - cephclients
+ - cephclusters
+ - cephblockpools
+ - cephfilesystems
+ - cephnfses
+ - cephobjectstores
+ - cephobjectstoreusers
+ - cephobjectrealms
+ - cephobjectzonegroups
+ - cephobjectzones
+ - cephbuckettopics
+ - cephbucketnotifications
+ - cephrbdmirrors
+ - cephfilesystemmirrors
+ - cephfilesystemsubvolumegroups
+ - cephblockpoolradosnamespaces
+ - cephcosidrivers
verbs:
- - "*"
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - delete
+ - patch
- apiGroups:
- apps
resources:
@@ -1269,6 +1166,7 @@
- create
- update
- delete
+ - deletecollection
- apiGroups:
- batch
resources:
@@ -1284,6 +1182,13 @@
- get
- create
- delete
+ - apiGroups:
+ - multicluster.x-k8s.io
+ resources:
+ - serviceexports
+ verbs:
+ - get
+ - create
---
# Source: rook-ceph/templates/role.yaml
kind: Role
@@ -1292,12 +1197,6 @@
name: cephfs-external-provisioner-cfg
namespace: default # namespace:operator
rules:
- - apiGroups: [""]
- resources: ["endpoints"]
- verbs: ["get", "watch", "list", "delete", "update", "create"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list", "create", "delete"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
@@ -1309,113 +1208,11 @@
name: rbd-external-provisioner-cfg
namespace: default # namespace:operator
rules:
- - apiGroups: [""]
- resources: ["endpoints"]
- verbs: ["get", "watch", "list", "delete", "update", "create"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list", "watch", "create", "delete", "update"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
---
# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-default-psp
- namespace: default # namespace:cluster
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: default
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-rgw-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-rgw
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-mgr-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-mgr
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-cmd-reporter-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-cmd-reporter
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-purge-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-purge-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
# Allow the operator to create resources in this cluster's namespace
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@@ -1615,6 +1412,7 @@
kind: Deployment
metadata:
name: rook-ceph-operator
+ namespace: default # namespace:operator
labels:
operator: rook
storage-backend: ceph
@@ -1633,35 +1431,37 @@
labels:
app: rook-ceph-operator
spec:
+ tolerations:
+ - effect: NoExecute
+ key: node.kubernetes.io/unreachable
+ operator: Exists
+ tolerationSeconds: 5
containers:
- name: rook-ceph-operator
- image: "rook/ceph:v1.9.7"
+ image: "rook/ceph:v1.13.1"
imagePullPolicy: IfNotPresent
args: ["ceph", "operator"]
securityContext:
+ capabilities:
+ drop:
+ - ALL
+ runAsGroup: 2016
runAsNonRoot: true
runAsUser: 2016
- runAsGroup: 2016
volumeMounts:
- mountPath: /var/lib/rook
name: rook-config
- mountPath: /etc/ceph
name: default-config-dir
- - mountPath: /etc/webhook
- name: webhook-cert
env:
- name: ROOK_CURRENT_NAMESPACE_ONLY
value: "false"
- name: ROOK_HOSTPATH_REQUIRES_PRIVILEGED
value: "false"
- - name: ROOK_ENABLE_SELINUX_RELABELING
- value: "true"
- name: ROOK_DISABLE_DEVICE_HOTPLUG
value: "false"
- - name: ROOK_ENABLE_DISCOVERY_DAEMON
- value: "false"
- - name: ROOK_DISABLE_ADMISSION_CONTROLLER
- value: "false"
+ - name: ROOK_DISCOVER_DEVICES_INTERVAL
+ value: "60m"
- name: NODE_NAME
valueFrom:
fieldRef:
@@ -1687,5 +1487,7 @@
emptyDir: {}
- name: default-config-dir
emptyDir: {}
- - name: webhook-cert
- emptyDir: {}
+# Source: rook-ceph/templates/securityContextConstraints.yaml
+# scc for the Rook and Ceph daemons
+# for creating cluster in openshift
+--- |
renovate
bot
force-pushed
the
renovate/rook-ceph-suite
branch
from
ce13f5a to
bef7e3b
Compare
|
Path: @@ -95,6 +95,7 @@
imageFormat: "2"
reclaimPolicy: Delete
allowVolumeExpansion: true
+volumeBindingMode: Immediate
---
# Source: rook-ceph-cluster/templates/rbac.yaml
# Allow the ceph mgr to access cluster-wide resources necessary for the mgr modules
@@ -134,10 +135,10 @@
namespace: default # namespace:cluster
rules:
# this is needed for rook's "key-management" CLI to fetch the vault token from the secret when
- # validating the connection details
+ # validating the connection details and for key rotation operations.
- apiGroups: [""]
resources: ["secrets"]
- verbs: ["get"]
+ verbs: ["get", "update"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
@@ -197,9 +198,31 @@
- apiGroups:
- ceph.rook.io
resources:
- - "*"
+ - cephclients
+ - cephclusters
+ - cephblockpools
+ - cephfilesystems
+ - cephnfses
+ - cephobjectstores
+ - cephobjectstoreusers
+ - cephobjectrealms
+ - cephobjectzonegroups
+ - cephobjectzones
+ - cephbuckettopics
+ - cephbucketnotifications
+ - cephrbdmirrors
+ - cephfilesystemmirrors
+ - cephfilesystemsubvolumegroups
+ - cephblockpoolradosnamespaces
+ - cephcosidrivers
verbs:
- - "*"
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - delete
+ - patch
- apiGroups:
- apps
resources:
@@ -294,102 +317,6 @@
- update
---
# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-default-psp
- namespace: default # namespace:cluster
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: default
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-rgw-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-rgw
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-mgr-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-mgr
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-cmd-reporter-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-cmd-reporter
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-purge-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-purge-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
# Allow the operator to create resources in this cluster's namespace
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@@ -536,11 +463,14 @@
---
---
+
+---
# Source: rook-ceph-cluster/templates/cephblockpool.yaml
apiVersion: ceph.rook.io/v1
kind: CephBlockPool
metadata:
name: ceph-blockpool
+ namespace: default # namespace:cluster
spec:
failureDomain: host
replicated:
@@ -551,12 +481,13 @@
kind: CephCluster
metadata:
name: default
+ namespace: default # namespace:cluster
spec:
monitoring:
enabled: true
cephVersion:
allowUnsupported: false
- image: quay.io/ceph/ceph:v16.2.9
+ image: quay.io/ceph/ceph:v18.2.1
cleanupPolicy:
allowUninstallWithVolumes: false
confirmation: ""
@@ -573,8 +504,6 @@
urlPrefix: /
dataDirHostPath: /var/lib/rook
disruptionManagement:
- machineDisruptionBudgetNamespace: openshift-machine-api
- manageMachineDisruptionBudgets: false
managePodBudgets: true
osdMaintenanceTimeout: 30
pgHealthCheckTimeout: 0
@@ -596,6 +525,10 @@
disabled: false
osd:
disabled: false
+ logCollector:
+ enabled: true
+ maxLogSize: 500M
+ periodicity: daily
mgr:
allowMultiplePerNode: false
count: 2
@@ -605,6 +538,13 @@
mon:
allowMultiplePerNode: false
count: 3
+ network:
+ connections:
+ compression:
+ enabled: false
+ encryption:
+ enabled: false
+ requireMsgr2: false
priorityClassNames:
mgr: system-cluster-critical
mon: system-node-critical
@@ -625,6 +565,13 @@
requests:
cpu: 100m
memory: 60Mi
+ exporter:
+ limits:
+ cpu: 250m
+ memory: 128Mi
+ requests:
+ cpu: 50m
+ memory: 50Mi
logcollector:
limits:
cpu: 500m
@@ -661,9 +608,6 @@
cpu: 1000m
memory: 4Gi
prepareosd:
- limits:
- cpu: 500m
- memory: 400Mi
requests:
cpu: 500m
memory: 50Mi |
|
Path: @@ -1,86 +1,4 @@
---
-# Source: rook-ceph/templates/psp.yaml
-# We expect most Kubernetes teams to follow the Kubernetes docs and have these PSPs.
-# LICENSE README.md Taskfile.yml assets charts cluster containers default docs hack provision privileged (for kube-system namespace)
-# LICENSE README.md Taskfile.yml assets charts cluster containers default docs hack provision restricted (for all logged in users)
-#
-# PSPs are applied based on the first match alphabetically. `rook-ceph-operator` comes after
-# `restricted` alphabetically, so we name this `00-rook-privileged`, so it stays somewhere
-# close to the top and so `rook-system` gets the intended PSP. This may need to be renamed in
-# environments with other `00`-prefixed PSPs.
-#
-# More on PSP ordering: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#policy-order
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
- name: 00-rook-privileged
- annotations:
- seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
- seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
-spec:
- privileged: true
- allowedCapabilities:
- # required by CSI
- - SYS_ADMIN
- - MKNOD
- fsGroup:
- rule: RunAsAny
- # runAsUser, supplementalGroups - Rook needs to run some pods as root
- # Ceph pods could be run as the Ceph user, but that user isn't always known ahead of time
- runAsUser:
- rule: RunAsAny
- supplementalGroups:
- rule: RunAsAny
- # seLinux - seLinux context is unknown ahead of time; set if this is well-known
- seLinux:
- rule: RunAsAny
- volumes:
- # recommended minimum set
- - configMap
- - downwardAPI
- - emptyDir
- - persistentVolumeClaim
- - secret
- - projected
- # required for Rook
- - hostPath
- # allowedHostPaths can be set to Rook's known host volume mount points when they are fully-known
- # allowedHostPaths:
- # - pathPrefix: "/run/udev" # for OSD prep
- # readOnly: false
- # - pathPrefix: "/dev" # for OSD prep
- # readOnly: false
- # - pathPrefix: "/var/lib/rook" # or whatever the dataDirHostPath value is set to
- # readOnly: false
- # Ceph requires host IPC for setting up encrypted devices
- hostIPC: true
- # Ceph OSDs need to share the same PID namespace
- hostPID: true
- # hostNetwork can be set to 'false' if host networking isn't used
- hostNetwork: true
- hostPorts:
- # Ceph messenger protocol v1
- - min: 6789
- max: 6790 # <- support old default port
- # Ceph messenger protocol v2
- - min: 3300
- max: 3300
- # Ceph RADOS ports for OSDs, MDSes
- - min: 6800
- max: 7300
- # # Ceph dashboard port HTTP (not recommended)
- # - min: 7000
- # max: 7000
- # Ceph dashboard port HTTPS
- - min: 8443
- max: 8443
- # Ceph mgr Prometheus Metrics
- - min: 9283
- max: 9283
- # port for CSIAddons
- - min: 9070
- max: 9070
----
# Source: rook-ceph/templates/cluster-rbac.yaml
# Service account for Ceph OSDs
apiVersion: v1
@@ -211,6 +129,20 @@
# imagePullSecrets:
# - name: my-registry-secret
---
+# Source: rook-ceph/templates/serviceaccount.yaml
+# Service account for Ceph COSI driver
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: objectstorage-provisioner
+ namespace: default # namespace:operator
+ labels:
+ app.kubernetes.io/part-of: container-object-storage-interface
+ app.kubernetes.io/component: driver-ceph
+ app.kubernetes.io/name: cosi-driver-ceph
+# imagePullSecrets:
+# - name: my-registry-secret
+---
# Source: rook-ceph/templates/configmap.yaml
# Operator settings that can be updated without an operator restart
# Operator settings that require an operator restart are found in the operator env vars
@@ -218,26 +150,33 @@
apiVersion: v1
metadata:
name: rook-ceph-operator-config
+ namespace: default # namespace:operator
data:
ROOK_LOG_LEVEL: "INFO"
ROOK_CEPH_COMMANDS_TIMEOUT_SECONDS: "15"
ROOK_OBC_WATCH_OPERATOR_NAMESPACE: "true"
+ ROOK_CEPH_ALLOW_LOOP_DEVICES: "false"
+ ROOK_ENABLE_DISCOVERY_DAEMON: "false"
ROOK_CSI_ENABLE_RBD: "true"
ROOK_CSI_ENABLE_CEPHFS: "false"
CSI_ENABLE_CEPHFS_SNAPSHOTTER: "false"
+ CSI_ENABLE_NFS_SNAPSHOTTER: "true"
CSI_ENABLE_RBD_SNAPSHOTTER: "true"
CSI_PLUGIN_ENABLE_SELINUX_HOST_MOUNT: "false"
CSI_ENABLE_ENCRYPTION: "false"
CSI_ENABLE_OMAP_GENERATOR: "false"
CSI_ENABLE_HOST_NETWORK: "true"
+ CSI_ENABLE_METADATA: "false"
CSI_PLUGIN_PRIORITY_CLASSNAME: "system-node-critical"
CSI_PROVISIONER_PRIORITY_CLASSNAME: "system-cluster-critical"
- CSI_RBD_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
- CSI_CEPHFS_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
- CSI_NFS_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
- ROOK_CSI_ENABLE_GRPC_METRICS: "false"
- CSI_ENABLE_VOLUME_REPLICATION: "false"
+ CSI_RBD_FSGROUPPOLICY: "File"
+ CSI_CEPHFS_FSGROUPPOLICY: "File"
+ CSI_NFS_FSGROUPPOLICY: "File"
+ ROOK_CSI_IMAGE_PULL_POLICY: "IfNotPresent"
CSI_ENABLE_CSIADDONS: "false"
+ ROOK_CSIADDONS_IMAGE: "quay.io/csiaddons/k8s-sidecar:v0.8.0"
+ CSI_ENABLE_TOPOLOGY: "false"
+ CSI_ENABLE_READ_AFFINITY: "false"
ROOK_CSI_ENABLE_NFS: "false"
CSI_FORCE_CEPHFS_KERNEL_CLIENT: "true"
CSI_GRPC_TIMEOUT_SECONDS: "150"
@@ -246,8 +185,11 @@
CSI_RBD_PLUGIN_RESOURCE: "- name : driver-registrar\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n- name : csi-rbdplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n- name : liveness-prometheus\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n"
CSI_CEPHFS_PROVISIONER_RESOURCE: "- name : csi-provisioner\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-resizer\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-attacher\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-snapshotter\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-cephfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n- name : liveness-prometheus\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n"
CSI_CEPHFS_PLUGIN_RESOURCE: "- name : driver-registrar\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n- name : csi-cephfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n- name : liveness-prometheus\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n"
- CSI_NFS_PROVISIONER_RESOURCE: "- name : csi-provisioner\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-nfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n"
+ CSI_NFS_PROVISIONER_RESOURCE: "- name : csi-provisioner\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-nfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n- name : csi-attacher\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n"
CSI_NFS_PLUGIN_RESOURCE: "- name : driver-registrar\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n- name : csi-nfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n"
+ CSI_CEPHFS_ATTACH_REQUIRED: "true"
+ CSI_RBD_ATTACH_REQUIRED: "true"
+ CSI_NFS_ATTACH_REQUIRED: "true"
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -271,9 +213,12 @@
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
- - apiGroups: ["admissionregistration.k8s.io"]
- resources: ["validatingwebhookconfigurations"]
- verbs: ["create", "get", "delete", "update"]
+ - apiGroups: ["csiaddons.openshift.io"]
+ resources: ["networkfences"]
+ verbs: ["create", "get", "update", "delete", "watch", "list"]
+ - apiGroups: ["apiextensions.k8s.io"]
+ resources: ["customresourcedefinitions"]
+ verbs: ["get"]
---
# Source: rook-ceph/templates/clusterrole.yaml
# The cluster role for managing all the cluster-specific resources in a namespace
@@ -332,9 +277,8 @@
# Node access is needed for determining nodes where mons should run
- nodes
- nodes/proxy
- - services
# Rook watches secrets which it uses to configure access to external resources.
- # e.g., external Ceph cluster; TLS certificates for the admission controller or object store
+ # e.g., external Ceph cluster or object store
- secrets
# Rook watches for changes to the rook-operator-config configmap
- configmaps
@@ -352,6 +296,7 @@
- persistentvolumeclaims
# Rook creates endpoints for mgr and object store access
- endpoints
+ - services
verbs:
- get
- list
@@ -380,6 +325,7 @@
- create
- update
- delete
+ - deletecollection
# The Rook operator must be able to watch all ceph.rook.io resources to reconcile them.
- apiGroups: ["ceph.rook.io"]
resources:
@@ -399,6 +345,7 @@
- cephfilesystemmirrors
- cephfilesystemsubvolumegroups
- cephblockpoolradosnamespaces
+ - cephcosidrivers
verbs:
- get
- list
@@ -467,6 +414,14 @@
- delete
- deletecollection
- apiGroups:
+ - apps
+ resources:
+ # This is to add osd deployment owner ref on key rotation
+ # cron jobs.
+ - deployments/finalizers
+ verbs:
+ - update
+ - apiGroups:
- healthchecking.openshift.io
resources:
- machinedisruptionbudgets
@@ -651,19 +606,7 @@
rules:
- apiGroups: [""]
resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["namespaces"]
- verbs: ["get", "list"]
- - apiGroups: [""]
- resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: ["storage.k8s.io"]
- resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list"]
+ verbs: ["get"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -675,11 +618,14 @@
resources: ["secrets"]
verbs: ["get", "list"]
- apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
+ verbs: ["get", "list", "watch", "create", "delete", "patch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
@@ -688,30 +634,24 @@
verbs: ["list", "watch", "create", "update", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update", "patch"]
+ verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments/status"]
verbs: ["patch"]
- apiGroups: [""]
- resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
resources: ["persistentvolumeclaims/status"]
- verbs: ["update", "patch"]
+ verbs: ["patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
- verbs: ["get", "list", "watch", "update", "patch"]
- - apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents"]
- verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
+ verbs: ["get", "list"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents/status"]
- verbs: ["update", "patch"]
+ resources: ["volumesnapshotcontents"]
+ verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshots/status"]
+ resources: ["volumesnapshotcontents/status"]
verbs: ["update", "patch"]
---
# Source: rook-ceph/templates/clusterrole.yaml
@@ -730,26 +670,23 @@
resources: ["secrets"]
verbs: ["get", "list"]
- apiGroups: [""]
- resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["namespaces"]
- verbs: ["get", "list"]
- - apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list"]
- apiGroups: [""]
resources: ["configmaps"]
- verbs: ["get", "list"]
+ verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
+ - apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -762,13 +699,19 @@
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
+ verbs: ["get", "list", "watch", "create", "delete", "patch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["storage.k8s.io"]
+ resources: ["storageclasses"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["list", "watch", "create", "update", "patch"]
+ - apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update", "patch"]
+ verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments/status"]
verbs: ["patch"]
@@ -776,71 +719,58 @@
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["storage.k8s.io"]
- resources: ["storageclasses"]
+ resources: ["csinodes"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
- resources: ["events"]
- verbs: ["list", "watch", "create", "update", "patch"]
+ resources: ["persistentvolumeclaims/status"]
+ verbs: ["patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
- verbs: ["get", "list", "watch", "update", "patch"]
- - apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents"]
- verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
+ verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents/status"]
- verbs: ["update", "patch"]
+ resources: ["volumesnapshotcontents"]
+ verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshots/status"]
- verbs: ["update", "patch"]
- - apiGroups: [""]
- resources: ["persistentvolumeclaims/status"]
+ resources: ["volumesnapshotcontents/status"]
verbs: ["update", "patch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications", "volumereplicationclasses"]
- verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications/finalizers"]
- verbs: ["update"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications/status"]
- verbs: ["get", "patch", "update"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplicationclasses/status"]
- verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
+ - apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["storage.k8s.io"]
+ resources: ["csinodes"]
+ verbs: ["get", "list", "watch"]
---
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
+# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
metadata:
- name: 'psp:rook'
+ name: objectstorage-provisioner-role
labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/created-by: helm
-rules:
- - apiGroups:
- - policy
- resources:
- - podsecuritypolicies
- resourceNames:
- - 00-rook-privileged
- verbs:
- - use
+ app.kubernetes.io/part-of: container-object-storage-interface
+ app.kubernetes.io/component: driver-ceph
+ app.kubernetes.io/name: cosi-driver-ceph
+rules:
+ - apiGroups: ["objectstorage.k8s.io"]
+ resources: ["buckets", "bucketaccesses", "bucketclaims", "bucketaccessclasses", "buckets/status", "bucketaccesses/status", "bucketclaims/status", "bucketaccessclasses/status"]
+ verbs: ["get", "list", "watch", "update", "create", "delete"]
+ - apiGroups: ["coordination.k8s.io"]
+ resources: ["leases"]
+ verbs: ["get", "watch", "list", "delete", "update", "create"]
+ - apiGroups: [""]
+ resources: ["secrets", "events"]
+ verbs: ["get", "delete", "update", "create"]
---
# Source: rook-ceph/templates/cluster-rbac.yaml
# Allow the ceph mgr to access cluster-wide resources necessary for the mgr modules
@@ -946,28 +876,30 @@
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
- name: cephfs-csi-nodeplugin
+ name: cephfs-csi-provisioner-role
subjects:
- kind: ServiceAccount
- name: rook-csi-cephfs-plugin-sa
+ name: rook-csi-cephfs-provisioner-sa
namespace: default # namespace:operator
roleRef:
kind: ClusterRole
- name: cephfs-csi-nodeplugin
+ name: cephfs-external-provisioner-runner
apiGroup: rbac.authorization.k8s.io
---
# Source: rook-ceph/templates/clusterrolebinding.yaml
+# This is required by operator-sdk to map the cluster/clusterrolebindings with SA
+# otherwise operator-sdk will create a individual file for these.
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
- name: cephfs-csi-provisioner-role
+ name: cephfs-csi-nodeplugin-role
subjects:
- kind: ServiceAccount
- name: rook-csi-cephfs-provisioner-sa
+ name: rook-csi-cephfs-plugin-sa
namespace: default # namespace:operator
roleRef:
kind: ClusterRole
- name: cephfs-external-provisioner-runner
+ name: cephfs-csi-nodeplugin
apiGroup: rbac.authorization.k8s.io
---
# Source: rook-ceph/templates/clusterrolebinding.yaml
@@ -984,81 +916,24 @@
name: rbd-external-provisioner-runner
apiGroup: rbac.authorization.k8s.io
---
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-ceph-system-psp
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-system
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
+# Source: rook-ceph/templates/clusterrolebinding.yaml
+# RBAC for ceph cosi driver service account
kind: ClusterRoleBinding
-metadata:
- name: rook-csi-cephfs-provisioner-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-cephfs-provisioner-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
metadata:
- name: rook-csi-cephfs-plugin-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
+ name: objectstorage-provisioner-role-binding
+ labels:
+ app.kubernetes.io/part-of: container-object-storage-interface
+ app.kubernetes.io/component: driver-ceph
+ app.kubernetes.io/name: cosi-driver-ceph
subjects:
- kind: ServiceAccount
- name: rook-csi-cephfs-plugin-sa
+ name: objectstorage-provisioner
namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-rbd-plugin-sa-psp
roleRef:
- apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-rbd-plugin-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-rbd-provisioner-sa-psp
-roleRef:
+ name: objectstorage-provisioner-role
apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-rbd-provisioner-sa
- namespace: default # namespace:operator
---
# Source: rook-ceph/templates/cluster-rbac.yaml
kind: Role
@@ -1068,10 +943,10 @@
namespace: default # namespace:cluster
rules:
# this is needed for rook's "key-management" CLI to fetch the vault token from the secret when
- # validating the connection details
+ # validating the connection details and for key rotation operations.
- apiGroups: [""]
resources: ["secrets"]
- verbs: ["get"]
+ verbs: ["get", "update"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
@@ -1131,9 +1006,31 @@
- apiGroups:
- ceph.rook.io
resources:
- - "*"
+ - cephclients
+ - cephclusters
+ - cephblockpools
+ - cephfilesystems
+ - cephnfses
+ - cephobjectstores
+ - cephobjectstoreusers
+ - cephobjectrealms
+ - cephobjectzonegroups
+ - cephobjectzones
+ - cephbuckettopics
+ - cephbucketnotifications
+ - cephrbdmirrors
+ - cephfilesystemmirrors
+ - cephfilesystemsubvolumegroups
+ - cephblockpoolradosnamespaces
+ - cephcosidrivers
verbs:
- - "*"
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - delete
+ - patch
- apiGroups:
- apps
resources:
@@ -1269,6 +1166,7 @@
- create
- update
- delete
+ - deletecollection
- apiGroups:
- batch
resources:
@@ -1284,6 +1182,13 @@
- get
- create
- delete
+ - apiGroups:
+ - multicluster.x-k8s.io
+ resources:
+ - serviceexports
+ verbs:
+ - get
+ - create
---
# Source: rook-ceph/templates/role.yaml
kind: Role
@@ -1292,12 +1197,6 @@
name: cephfs-external-provisioner-cfg
namespace: default # namespace:operator
rules:
- - apiGroups: [""]
- resources: ["endpoints"]
- verbs: ["get", "watch", "list", "delete", "update", "create"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list", "create", "delete"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
@@ -1309,113 +1208,11 @@
name: rbd-external-provisioner-cfg
namespace: default # namespace:operator
rules:
- - apiGroups: [""]
- resources: ["endpoints"]
- verbs: ["get", "watch", "list", "delete", "update", "create"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list", "watch", "create", "delete", "update"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
---
# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-default-psp
- namespace: default # namespace:cluster
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: default
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-rgw-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-rgw
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-mgr-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-mgr
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-cmd-reporter-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-cmd-reporter
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-purge-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-purge-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
# Allow the operator to create resources in this cluster's namespace
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@@ -1615,6 +1412,7 @@
kind: Deployment
metadata:
name: rook-ceph-operator
+ namespace: default # namespace:operator
labels:
operator: rook
storage-backend: ceph
@@ -1633,35 +1431,37 @@
labels:
app: rook-ceph-operator
spec:
+ tolerations:
+ - effect: NoExecute
+ key: node.kubernetes.io/unreachable
+ operator: Exists
+ tolerationSeconds: 5
containers:
- name: rook-ceph-operator
- image: "rook/ceph:v1.9.7"
+ image: "rook/ceph:v1.13.2"
imagePullPolicy: IfNotPresent
args: ["ceph", "operator"]
securityContext:
+ capabilities:
+ drop:
+ - ALL
+ runAsGroup: 2016
runAsNonRoot: true
runAsUser: 2016
- runAsGroup: 2016
volumeMounts:
- mountPath: /var/lib/rook
name: rook-config
- mountPath: /etc/ceph
name: default-config-dir
- - mountPath: /etc/webhook
- name: webhook-cert
env:
- name: ROOK_CURRENT_NAMESPACE_ONLY
value: "false"
- name: ROOK_HOSTPATH_REQUIRES_PRIVILEGED
value: "false"
- - name: ROOK_ENABLE_SELINUX_RELABELING
- value: "true"
- name: ROOK_DISABLE_DEVICE_HOTPLUG
value: "false"
- - name: ROOK_ENABLE_DISCOVERY_DAEMON
- value: "false"
- - name: ROOK_DISABLE_ADMISSION_CONTROLLER
- value: "false"
+ - name: ROOK_DISCOVER_DEVICES_INTERVAL
+ value: "60m"
- name: NODE_NAME
valueFrom:
fieldRef:
@@ -1687,5 +1487,7 @@
emptyDir: {}
- name: default-config-dir
emptyDir: {}
- - name: webhook-cert
- emptyDir: {}
+# Source: rook-ceph/templates/securityContextConstraints.yaml
+# scc for the Rook and Ceph daemons
+# for creating cluster in openshift
+--- |
renovate
bot
force-pushed
the
renovate/rook-ceph-suite
branch
from
bef7e3b to
2bf057a
Compare
|
Path: @@ -95,6 +95,7 @@
imageFormat: "2"
reclaimPolicy: Delete
allowVolumeExpansion: true
+volumeBindingMode: Immediate
---
# Source: rook-ceph-cluster/templates/rbac.yaml
# Allow the ceph mgr to access cluster-wide resources necessary for the mgr modules
@@ -134,10 +135,10 @@
namespace: default # namespace:cluster
rules:
# this is needed for rook's "key-management" CLI to fetch the vault token from the secret when
- # validating the connection details
+ # validating the connection details and for key rotation operations.
- apiGroups: [""]
resources: ["secrets"]
- verbs: ["get"]
+ verbs: ["get", "update"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
@@ -197,9 +198,31 @@
- apiGroups:
- ceph.rook.io
resources:
- - "*"
+ - cephclients
+ - cephclusters
+ - cephblockpools
+ - cephfilesystems
+ - cephnfses
+ - cephobjectstores
+ - cephobjectstoreusers
+ - cephobjectrealms
+ - cephobjectzonegroups
+ - cephobjectzones
+ - cephbuckettopics
+ - cephbucketnotifications
+ - cephrbdmirrors
+ - cephfilesystemmirrors
+ - cephfilesystemsubvolumegroups
+ - cephblockpoolradosnamespaces
+ - cephcosidrivers
verbs:
- - "*"
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - delete
+ - patch
- apiGroups:
- apps
resources:
@@ -294,102 +317,6 @@
- update
---
# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-default-psp
- namespace: default # namespace:cluster
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: default
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-rgw-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-rgw
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-mgr-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-mgr
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-cmd-reporter-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-cmd-reporter
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-purge-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-purge-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
# Allow the operator to create resources in this cluster's namespace
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@@ -536,11 +463,14 @@
---
---
+
+---
# Source: rook-ceph-cluster/templates/cephblockpool.yaml
apiVersion: ceph.rook.io/v1
kind: CephBlockPool
metadata:
name: ceph-blockpool
+ namespace: default # namespace:cluster
spec:
failureDomain: host
replicated:
@@ -551,12 +481,13 @@
kind: CephCluster
metadata:
name: default
+ namespace: default # namespace:cluster
spec:
monitoring:
enabled: true
cephVersion:
allowUnsupported: false
- image: quay.io/ceph/ceph:v16.2.9
+ image: quay.io/ceph/ceph:v18.2.1
cleanupPolicy:
allowUninstallWithVolumes: false
confirmation: ""
@@ -573,8 +504,6 @@
urlPrefix: /
dataDirHostPath: /var/lib/rook
disruptionManagement:
- machineDisruptionBudgetNamespace: openshift-machine-api
- manageMachineDisruptionBudgets: false
managePodBudgets: true
osdMaintenanceTimeout: 30
pgHealthCheckTimeout: 0
@@ -596,6 +525,10 @@
disabled: false
osd:
disabled: false
+ logCollector:
+ enabled: true
+ maxLogSize: 500M
+ periodicity: daily
mgr:
allowMultiplePerNode: false
count: 2
@@ -605,6 +538,13 @@
mon:
allowMultiplePerNode: false
count: 3
+ network:
+ connections:
+ compression:
+ enabled: false
+ encryption:
+ enabled: false
+ requireMsgr2: false
priorityClassNames:
mgr: system-cluster-critical
mon: system-node-critical
@@ -625,6 +565,13 @@
requests:
cpu: 100m
memory: 60Mi
+ exporter:
+ limits:
+ cpu: 250m
+ memory: 128Mi
+ requests:
+ cpu: 50m
+ memory: 50Mi
logcollector:
limits:
cpu: 500m
@@ -661,9 +608,6 @@
cpu: 1000m
memory: 4Gi
prepareosd:
- limits:
- cpu: 500m
- memory: 400Mi
requests:
cpu: 500m
memory: 50Mi |
|
Path: @@ -1,86 +1,4 @@
---
-# Source: rook-ceph/templates/psp.yaml
-# We expect most Kubernetes teams to follow the Kubernetes docs and have these PSPs.
-# LICENSE README.md Taskfile.yml assets charts cluster containers default docs hack provision privileged (for kube-system namespace)
-# LICENSE README.md Taskfile.yml assets charts cluster containers default docs hack provision restricted (for all logged in users)
-#
-# PSPs are applied based on the first match alphabetically. `rook-ceph-operator` comes after
-# `restricted` alphabetically, so we name this `00-rook-privileged`, so it stays somewhere
-# close to the top and so `rook-system` gets the intended PSP. This may need to be renamed in
-# environments with other `00`-prefixed PSPs.
-#
-# More on PSP ordering: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#policy-order
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
- name: 00-rook-privileged
- annotations:
- seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
- seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
-spec:
- privileged: true
- allowedCapabilities:
- # required by CSI
- - SYS_ADMIN
- - MKNOD
- fsGroup:
- rule: RunAsAny
- # runAsUser, supplementalGroups - Rook needs to run some pods as root
- # Ceph pods could be run as the Ceph user, but that user isn't always known ahead of time
- runAsUser:
- rule: RunAsAny
- supplementalGroups:
- rule: RunAsAny
- # seLinux - seLinux context is unknown ahead of time; set if this is well-known
- seLinux:
- rule: RunAsAny
- volumes:
- # recommended minimum set
- - configMap
- - downwardAPI
- - emptyDir
- - persistentVolumeClaim
- - secret
- - projected
- # required for Rook
- - hostPath
- # allowedHostPaths can be set to Rook's known host volume mount points when they are fully-known
- # allowedHostPaths:
- # - pathPrefix: "/run/udev" # for OSD prep
- # readOnly: false
- # - pathPrefix: "/dev" # for OSD prep
- # readOnly: false
- # - pathPrefix: "/var/lib/rook" # or whatever the dataDirHostPath value is set to
- # readOnly: false
- # Ceph requires host IPC for setting up encrypted devices
- hostIPC: true
- # Ceph OSDs need to share the same PID namespace
- hostPID: true
- # hostNetwork can be set to 'false' if host networking isn't used
- hostNetwork: true
- hostPorts:
- # Ceph messenger protocol v1
- - min: 6789
- max: 6790 # <- support old default port
- # Ceph messenger protocol v2
- - min: 3300
- max: 3300
- # Ceph RADOS ports for OSDs, MDSes
- - min: 6800
- max: 7300
- # # Ceph dashboard port HTTP (not recommended)
- # - min: 7000
- # max: 7000
- # Ceph dashboard port HTTPS
- - min: 8443
- max: 8443
- # Ceph mgr Prometheus Metrics
- - min: 9283
- max: 9283
- # port for CSIAddons
- - min: 9070
- max: 9070
----
# Source: rook-ceph/templates/cluster-rbac.yaml
# Service account for Ceph OSDs
apiVersion: v1
@@ -211,6 +129,20 @@
# imagePullSecrets:
# - name: my-registry-secret
---
+# Source: rook-ceph/templates/serviceaccount.yaml
+# Service account for Ceph COSI driver
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: objectstorage-provisioner
+ namespace: default # namespace:operator
+ labels:
+ app.kubernetes.io/part-of: container-object-storage-interface
+ app.kubernetes.io/component: driver-ceph
+ app.kubernetes.io/name: cosi-driver-ceph
+# imagePullSecrets:
+# - name: my-registry-secret
+---
# Source: rook-ceph/templates/configmap.yaml
# Operator settings that can be updated without an operator restart
# Operator settings that require an operator restart are found in the operator env vars
@@ -218,26 +150,33 @@
apiVersion: v1
metadata:
name: rook-ceph-operator-config
+ namespace: default # namespace:operator
data:
ROOK_LOG_LEVEL: "INFO"
ROOK_CEPH_COMMANDS_TIMEOUT_SECONDS: "15"
ROOK_OBC_WATCH_OPERATOR_NAMESPACE: "true"
+ ROOK_CEPH_ALLOW_LOOP_DEVICES: "false"
+ ROOK_ENABLE_DISCOVERY_DAEMON: "false"
ROOK_CSI_ENABLE_RBD: "true"
ROOK_CSI_ENABLE_CEPHFS: "false"
CSI_ENABLE_CEPHFS_SNAPSHOTTER: "false"
+ CSI_ENABLE_NFS_SNAPSHOTTER: "true"
CSI_ENABLE_RBD_SNAPSHOTTER: "true"
CSI_PLUGIN_ENABLE_SELINUX_HOST_MOUNT: "false"
CSI_ENABLE_ENCRYPTION: "false"
CSI_ENABLE_OMAP_GENERATOR: "false"
CSI_ENABLE_HOST_NETWORK: "true"
+ CSI_ENABLE_METADATA: "false"
CSI_PLUGIN_PRIORITY_CLASSNAME: "system-node-critical"
CSI_PROVISIONER_PRIORITY_CLASSNAME: "system-cluster-critical"
- CSI_RBD_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
- CSI_CEPHFS_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
- CSI_NFS_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
- ROOK_CSI_ENABLE_GRPC_METRICS: "false"
- CSI_ENABLE_VOLUME_REPLICATION: "false"
+ CSI_RBD_FSGROUPPOLICY: "File"
+ CSI_CEPHFS_FSGROUPPOLICY: "File"
+ CSI_NFS_FSGROUPPOLICY: "File"
+ ROOK_CSI_IMAGE_PULL_POLICY: "IfNotPresent"
CSI_ENABLE_CSIADDONS: "false"
+ ROOK_CSIADDONS_IMAGE: "quay.io/csiaddons/k8s-sidecar:v0.8.0"
+ CSI_ENABLE_TOPOLOGY: "false"
+ CSI_ENABLE_READ_AFFINITY: "false"
ROOK_CSI_ENABLE_NFS: "false"
CSI_FORCE_CEPHFS_KERNEL_CLIENT: "true"
CSI_GRPC_TIMEOUT_SECONDS: "150"
@@ -246,8 +185,11 @@
CSI_RBD_PLUGIN_RESOURCE: "- name : driver-registrar\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n- name : csi-rbdplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n- name : liveness-prometheus\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n"
CSI_CEPHFS_PROVISIONER_RESOURCE: "- name : csi-provisioner\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-resizer\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-attacher\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-snapshotter\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-cephfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n- name : liveness-prometheus\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n"
CSI_CEPHFS_PLUGIN_RESOURCE: "- name : driver-registrar\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n- name : csi-cephfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n- name : liveness-prometheus\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n"
- CSI_NFS_PROVISIONER_RESOURCE: "- name : csi-provisioner\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-nfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n"
+ CSI_NFS_PROVISIONER_RESOURCE: "- name : csi-provisioner\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-nfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n- name : csi-attacher\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n"
CSI_NFS_PLUGIN_RESOURCE: "- name : driver-registrar\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n- name : csi-nfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n"
+ CSI_CEPHFS_ATTACH_REQUIRED: "true"
+ CSI_RBD_ATTACH_REQUIRED: "true"
+ CSI_NFS_ATTACH_REQUIRED: "true"
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -271,9 +213,12 @@
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
- - apiGroups: ["admissionregistration.k8s.io"]
- resources: ["validatingwebhookconfigurations"]
- verbs: ["create", "get", "delete", "update"]
+ - apiGroups: ["csiaddons.openshift.io"]
+ resources: ["networkfences"]
+ verbs: ["create", "get", "update", "delete", "watch", "list"]
+ - apiGroups: ["apiextensions.k8s.io"]
+ resources: ["customresourcedefinitions"]
+ verbs: ["get"]
---
# Source: rook-ceph/templates/clusterrole.yaml
# The cluster role for managing all the cluster-specific resources in a namespace
@@ -332,9 +277,8 @@
# Node access is needed for determining nodes where mons should run
- nodes
- nodes/proxy
- - services
# Rook watches secrets which it uses to configure access to external resources.
- # e.g., external Ceph cluster; TLS certificates for the admission controller or object store
+ # e.g., external Ceph cluster or object store
- secrets
# Rook watches for changes to the rook-operator-config configmap
- configmaps
@@ -352,6 +296,7 @@
- persistentvolumeclaims
# Rook creates endpoints for mgr and object store access
- endpoints
+ - services
verbs:
- get
- list
@@ -380,6 +325,7 @@
- create
- update
- delete
+ - deletecollection
# The Rook operator must be able to watch all ceph.rook.io resources to reconcile them.
- apiGroups: ["ceph.rook.io"]
resources:
@@ -399,6 +345,7 @@
- cephfilesystemmirrors
- cephfilesystemsubvolumegroups
- cephblockpoolradosnamespaces
+ - cephcosidrivers
verbs:
- get
- list
@@ -467,6 +414,14 @@
- delete
- deletecollection
- apiGroups:
+ - apps
+ resources:
+ # This is to add osd deployment owner ref on key rotation
+ # cron jobs.
+ - deployments/finalizers
+ verbs:
+ - update
+ - apiGroups:
- healthchecking.openshift.io
resources:
- machinedisruptionbudgets
@@ -651,19 +606,7 @@
rules:
- apiGroups: [""]
resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["namespaces"]
- verbs: ["get", "list"]
- - apiGroups: [""]
- resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: ["storage.k8s.io"]
- resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list"]
+ verbs: ["get"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -675,11 +618,14 @@
resources: ["secrets"]
verbs: ["get", "list"]
- apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
+ verbs: ["get", "list", "watch", "create", "delete", "patch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
@@ -688,30 +634,24 @@
verbs: ["list", "watch", "create", "update", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update", "patch"]
+ verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments/status"]
verbs: ["patch"]
- apiGroups: [""]
- resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
resources: ["persistentvolumeclaims/status"]
- verbs: ["update", "patch"]
+ verbs: ["patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
- verbs: ["get", "list", "watch", "update", "patch"]
- - apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents"]
- verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
+ verbs: ["get", "list"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents/status"]
- verbs: ["update", "patch"]
+ resources: ["volumesnapshotcontents"]
+ verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshots/status"]
+ resources: ["volumesnapshotcontents/status"]
verbs: ["update", "patch"]
---
# Source: rook-ceph/templates/clusterrole.yaml
@@ -730,26 +670,23 @@
resources: ["secrets"]
verbs: ["get", "list"]
- apiGroups: [""]
- resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["namespaces"]
- verbs: ["get", "list"]
- - apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list"]
- apiGroups: [""]
resources: ["configmaps"]
- verbs: ["get", "list"]
+ verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
+ - apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -762,13 +699,19 @@
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
+ verbs: ["get", "list", "watch", "create", "delete", "patch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["storage.k8s.io"]
+ resources: ["storageclasses"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["list", "watch", "create", "update", "patch"]
+ - apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update", "patch"]
+ verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments/status"]
verbs: ["patch"]
@@ -776,71 +719,58 @@
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["storage.k8s.io"]
- resources: ["storageclasses"]
+ resources: ["csinodes"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
- resources: ["events"]
- verbs: ["list", "watch", "create", "update", "patch"]
+ resources: ["persistentvolumeclaims/status"]
+ verbs: ["patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
- verbs: ["get", "list", "watch", "update", "patch"]
- - apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents"]
- verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
+ verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents/status"]
- verbs: ["update", "patch"]
+ resources: ["volumesnapshotcontents"]
+ verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshots/status"]
- verbs: ["update", "patch"]
- - apiGroups: [""]
- resources: ["persistentvolumeclaims/status"]
+ resources: ["volumesnapshotcontents/status"]
verbs: ["update", "patch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications", "volumereplicationclasses"]
- verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications/finalizers"]
- verbs: ["update"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications/status"]
- verbs: ["get", "patch", "update"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplicationclasses/status"]
- verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
+ - apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["storage.k8s.io"]
+ resources: ["csinodes"]
+ verbs: ["get", "list", "watch"]
---
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
+# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
metadata:
- name: 'psp:rook'
+ name: objectstorage-provisioner-role
labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/created-by: helm
-rules:
- - apiGroups:
- - policy
- resources:
- - podsecuritypolicies
- resourceNames:
- - 00-rook-privileged
- verbs:
- - use
+ app.kubernetes.io/part-of: container-object-storage-interface
+ app.kubernetes.io/component: driver-ceph
+ app.kubernetes.io/name: cosi-driver-ceph
+rules:
+ - apiGroups: ["objectstorage.k8s.io"]
+ resources: ["buckets", "bucketaccesses", "bucketclaims", "bucketaccessclasses", "buckets/status", "bucketaccesses/status", "bucketclaims/status", "bucketaccessclasses/status"]
+ verbs: ["get", "list", "watch", "update", "create", "delete"]
+ - apiGroups: ["coordination.k8s.io"]
+ resources: ["leases"]
+ verbs: ["get", "watch", "list", "delete", "update", "create"]
+ - apiGroups: [""]
+ resources: ["secrets", "events"]
+ verbs: ["get", "delete", "update", "create"]
---
# Source: rook-ceph/templates/cluster-rbac.yaml
# Allow the ceph mgr to access cluster-wide resources necessary for the mgr modules
@@ -946,28 +876,30 @@
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
- name: cephfs-csi-nodeplugin
+ name: cephfs-csi-provisioner-role
subjects:
- kind: ServiceAccount
- name: rook-csi-cephfs-plugin-sa
+ name: rook-csi-cephfs-provisioner-sa
namespace: default # namespace:operator
roleRef:
kind: ClusterRole
- name: cephfs-csi-nodeplugin
+ name: cephfs-external-provisioner-runner
apiGroup: rbac.authorization.k8s.io
---
# Source: rook-ceph/templates/clusterrolebinding.yaml
+# This is required by operator-sdk to map the cluster/clusterrolebindings with SA
+# otherwise operator-sdk will create a individual file for these.
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
- name: cephfs-csi-provisioner-role
+ name: cephfs-csi-nodeplugin-role
subjects:
- kind: ServiceAccount
- name: rook-csi-cephfs-provisioner-sa
+ name: rook-csi-cephfs-plugin-sa
namespace: default # namespace:operator
roleRef:
kind: ClusterRole
- name: cephfs-external-provisioner-runner
+ name: cephfs-csi-nodeplugin
apiGroup: rbac.authorization.k8s.io
---
# Source: rook-ceph/templates/clusterrolebinding.yaml
@@ -984,81 +916,24 @@
name: rbd-external-provisioner-runner
apiGroup: rbac.authorization.k8s.io
---
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-ceph-system-psp
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-system
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
+# Source: rook-ceph/templates/clusterrolebinding.yaml
+# RBAC for ceph cosi driver service account
kind: ClusterRoleBinding
-metadata:
- name: rook-csi-cephfs-provisioner-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-cephfs-provisioner-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
metadata:
- name: rook-csi-cephfs-plugin-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
+ name: objectstorage-provisioner-role-binding
+ labels:
+ app.kubernetes.io/part-of: container-object-storage-interface
+ app.kubernetes.io/component: driver-ceph
+ app.kubernetes.io/name: cosi-driver-ceph
subjects:
- kind: ServiceAccount
- name: rook-csi-cephfs-plugin-sa
+ name: objectstorage-provisioner
namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-rbd-plugin-sa-psp
roleRef:
- apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-rbd-plugin-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-rbd-provisioner-sa-psp
-roleRef:
+ name: objectstorage-provisioner-role
apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-rbd-provisioner-sa
- namespace: default # namespace:operator
---
# Source: rook-ceph/templates/cluster-rbac.yaml
kind: Role
@@ -1068,10 +943,10 @@
namespace: default # namespace:cluster
rules:
# this is needed for rook's "key-management" CLI to fetch the vault token from the secret when
- # validating the connection details
+ # validating the connection details and for key rotation operations.
- apiGroups: [""]
resources: ["secrets"]
- verbs: ["get"]
+ verbs: ["get", "update"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
@@ -1131,9 +1006,31 @@
- apiGroups:
- ceph.rook.io
resources:
- - "*"
+ - cephclients
+ - cephclusters
+ - cephblockpools
+ - cephfilesystems
+ - cephnfses
+ - cephobjectstores
+ - cephobjectstoreusers
+ - cephobjectrealms
+ - cephobjectzonegroups
+ - cephobjectzones
+ - cephbuckettopics
+ - cephbucketnotifications
+ - cephrbdmirrors
+ - cephfilesystemmirrors
+ - cephfilesystemsubvolumegroups
+ - cephblockpoolradosnamespaces
+ - cephcosidrivers
verbs:
- - "*"
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - delete
+ - patch
- apiGroups:
- apps
resources:
@@ -1269,6 +1166,7 @@
- create
- update
- delete
+ - deletecollection
- apiGroups:
- batch
resources:
@@ -1284,6 +1182,13 @@
- get
- create
- delete
+ - apiGroups:
+ - multicluster.x-k8s.io
+ resources:
+ - serviceexports
+ verbs:
+ - get
+ - create
---
# Source: rook-ceph/templates/role.yaml
kind: Role
@@ -1292,12 +1197,6 @@
name: cephfs-external-provisioner-cfg
namespace: default # namespace:operator
rules:
- - apiGroups: [""]
- resources: ["endpoints"]
- verbs: ["get", "watch", "list", "delete", "update", "create"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list", "create", "delete"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
@@ -1309,113 +1208,11 @@
name: rbd-external-provisioner-cfg
namespace: default # namespace:operator
rules:
- - apiGroups: [""]
- resources: ["endpoints"]
- verbs: ["get", "watch", "list", "delete", "update", "create"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list", "watch", "create", "delete", "update"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
---
# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-default-psp
- namespace: default # namespace:cluster
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: default
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-rgw-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-rgw
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-mgr-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-mgr
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-cmd-reporter-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-cmd-reporter
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-purge-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-purge-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
# Allow the operator to create resources in this cluster's namespace
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@@ -1615,6 +1412,7 @@
kind: Deployment
metadata:
name: rook-ceph-operator
+ namespace: default # namespace:operator
labels:
operator: rook
storage-backend: ceph
@@ -1633,35 +1431,37 @@
labels:
app: rook-ceph-operator
spec:
+ tolerations:
+ - effect: NoExecute
+ key: node.kubernetes.io/unreachable
+ operator: Exists
+ tolerationSeconds: 5
containers:
- name: rook-ceph-operator
- image: "rook/ceph:v1.9.7"
+ image: "rook/ceph:v1.13.2"
imagePullPolicy: IfNotPresent
args: ["ceph", "operator"]
securityContext:
+ capabilities:
+ drop:
+ - ALL
+ runAsGroup: 2016
runAsNonRoot: true
runAsUser: 2016
- runAsGroup: 2016
volumeMounts:
- mountPath: /var/lib/rook
name: rook-config
- mountPath: /etc/ceph
name: default-config-dir
- - mountPath: /etc/webhook
- name: webhook-cert
env:
- name: ROOK_CURRENT_NAMESPACE_ONLY
value: "false"
- name: ROOK_HOSTPATH_REQUIRES_PRIVILEGED
value: "false"
- - name: ROOK_ENABLE_SELINUX_RELABELING
- value: "true"
- name: ROOK_DISABLE_DEVICE_HOTPLUG
value: "false"
- - name: ROOK_ENABLE_DISCOVERY_DAEMON
- value: "false"
- - name: ROOK_DISABLE_ADMISSION_CONTROLLER
- value: "false"
+ - name: ROOK_DISCOVER_DEVICES_INTERVAL
+ value: "60m"
- name: NODE_NAME
valueFrom:
fieldRef:
@@ -1687,5 +1487,7 @@
emptyDir: {}
- name: default-config-dir
emptyDir: {}
- - name: webhook-cert
- emptyDir: {}
+# Source: rook-ceph/templates/securityContextConstraints.yaml
+# scc for the Rook and Ceph daemons
+# for creating cluster in openshift
+--- |
renovate
bot
force-pushed
the
renovate/rook-ceph-suite
branch
from
2bf057a to
f7bffe6
Compare
|
Path: @@ -1,86 +1,4 @@
---
-# Source: rook-ceph/templates/psp.yaml
-# We expect most Kubernetes teams to follow the Kubernetes docs and have these PSPs.
-# LICENSE README.md Taskfile.yml assets charts cluster containers default docs hack provision privileged (for kube-system namespace)
-# LICENSE README.md Taskfile.yml assets charts cluster containers default docs hack provision restricted (for all logged in users)
-#
-# PSPs are applied based on the first match alphabetically. `rook-ceph-operator` comes after
-# `restricted` alphabetically, so we name this `00-rook-privileged`, so it stays somewhere
-# close to the top and so `rook-system` gets the intended PSP. This may need to be renamed in
-# environments with other `00`-prefixed PSPs.
-#
-# More on PSP ordering: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#policy-order
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
- name: 00-rook-privileged
- annotations:
- seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
- seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
-spec:
- privileged: true
- allowedCapabilities:
- # required by CSI
- - SYS_ADMIN
- - MKNOD
- fsGroup:
- rule: RunAsAny
- # runAsUser, supplementalGroups - Rook needs to run some pods as root
- # Ceph pods could be run as the Ceph user, but that user isn't always known ahead of time
- runAsUser:
- rule: RunAsAny
- supplementalGroups:
- rule: RunAsAny
- # seLinux - seLinux context is unknown ahead of time; set if this is well-known
- seLinux:
- rule: RunAsAny
- volumes:
- # recommended minimum set
- - configMap
- - downwardAPI
- - emptyDir
- - persistentVolumeClaim
- - secret
- - projected
- # required for Rook
- - hostPath
- # allowedHostPaths can be set to Rook's known host volume mount points when they are fully-known
- # allowedHostPaths:
- # - pathPrefix: "/run/udev" # for OSD prep
- # readOnly: false
- # - pathPrefix: "/dev" # for OSD prep
- # readOnly: false
- # - pathPrefix: "/var/lib/rook" # or whatever the dataDirHostPath value is set to
- # readOnly: false
- # Ceph requires host IPC for setting up encrypted devices
- hostIPC: true
- # Ceph OSDs need to share the same PID namespace
- hostPID: true
- # hostNetwork can be set to 'false' if host networking isn't used
- hostNetwork: true
- hostPorts:
- # Ceph messenger protocol v1
- - min: 6789
- max: 6790 # <- support old default port
- # Ceph messenger protocol v2
- - min: 3300
- max: 3300
- # Ceph RADOS ports for OSDs, MDSes
- - min: 6800
- max: 7300
- # # Ceph dashboard port HTTP (not recommended)
- # - min: 7000
- # max: 7000
- # Ceph dashboard port HTTPS
- - min: 8443
- max: 8443
- # Ceph mgr Prometheus Metrics
- - min: 9283
- max: 9283
- # port for CSIAddons
- - min: 9070
- max: 9070
----
# Source: rook-ceph/templates/cluster-rbac.yaml
# Service account for Ceph OSDs
apiVersion: v1
@@ -211,6 +129,20 @@
# imagePullSecrets:
# - name: my-registry-secret
---
+# Source: rook-ceph/templates/serviceaccount.yaml
+# Service account for Ceph COSI driver
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: objectstorage-provisioner
+ namespace: default # namespace:operator
+ labels:
+ app.kubernetes.io/part-of: container-object-storage-interface
+ app.kubernetes.io/component: driver-ceph
+ app.kubernetes.io/name: cosi-driver-ceph
+# imagePullSecrets:
+# - name: my-registry-secret
+---
# Source: rook-ceph/templates/configmap.yaml
# Operator settings that can be updated without an operator restart
# Operator settings that require an operator restart are found in the operator env vars
@@ -218,26 +150,33 @@
apiVersion: v1
metadata:
name: rook-ceph-operator-config
+ namespace: default # namespace:operator
data:
ROOK_LOG_LEVEL: "INFO"
ROOK_CEPH_COMMANDS_TIMEOUT_SECONDS: "15"
ROOK_OBC_WATCH_OPERATOR_NAMESPACE: "true"
+ ROOK_CEPH_ALLOW_LOOP_DEVICES: "false"
+ ROOK_ENABLE_DISCOVERY_DAEMON: "false"
ROOK_CSI_ENABLE_RBD: "true"
ROOK_CSI_ENABLE_CEPHFS: "false"
CSI_ENABLE_CEPHFS_SNAPSHOTTER: "false"
+ CSI_ENABLE_NFS_SNAPSHOTTER: "true"
CSI_ENABLE_RBD_SNAPSHOTTER: "true"
CSI_PLUGIN_ENABLE_SELINUX_HOST_MOUNT: "false"
CSI_ENABLE_ENCRYPTION: "false"
CSI_ENABLE_OMAP_GENERATOR: "false"
CSI_ENABLE_HOST_NETWORK: "true"
+ CSI_ENABLE_METADATA: "false"
CSI_PLUGIN_PRIORITY_CLASSNAME: "system-node-critical"
CSI_PROVISIONER_PRIORITY_CLASSNAME: "system-cluster-critical"
- CSI_RBD_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
- CSI_CEPHFS_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
- CSI_NFS_FSGROUPPOLICY: "ReadWriteOnceWithFSType"
- ROOK_CSI_ENABLE_GRPC_METRICS: "false"
- CSI_ENABLE_VOLUME_REPLICATION: "false"
+ CSI_RBD_FSGROUPPOLICY: "File"
+ CSI_CEPHFS_FSGROUPPOLICY: "File"
+ CSI_NFS_FSGROUPPOLICY: "File"
+ ROOK_CSI_IMAGE_PULL_POLICY: "IfNotPresent"
CSI_ENABLE_CSIADDONS: "false"
+ ROOK_CSIADDONS_IMAGE: "quay.io/csiaddons/k8s-sidecar:v0.8.0"
+ CSI_ENABLE_TOPOLOGY: "false"
+ CSI_ENABLE_READ_AFFINITY: "false"
ROOK_CSI_ENABLE_NFS: "false"
CSI_FORCE_CEPHFS_KERNEL_CLIENT: "true"
CSI_GRPC_TIMEOUT_SECONDS: "150"
@@ -246,8 +185,11 @@
CSI_RBD_PLUGIN_RESOURCE: "- name : driver-registrar\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n- name : csi-rbdplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n- name : liveness-prometheus\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n"
CSI_CEPHFS_PROVISIONER_RESOURCE: "- name : csi-provisioner\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-resizer\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-attacher\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-snapshotter\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-cephfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n- name : liveness-prometheus\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n"
CSI_CEPHFS_PLUGIN_RESOURCE: "- name : driver-registrar\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n- name : csi-cephfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n- name : liveness-prometheus\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n"
- CSI_NFS_PROVISIONER_RESOURCE: "- name : csi-provisioner\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-nfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n"
+ CSI_NFS_PROVISIONER_RESOURCE: "- name : csi-provisioner\n resource:\n requests:\n memory: 128Mi\n cpu: 100m\n limits:\n memory: 256Mi\n cpu: 200m\n- name : csi-nfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n- name : csi-attacher\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n"
CSI_NFS_PLUGIN_RESOURCE: "- name : driver-registrar\n resource:\n requests:\n memory: 128Mi\n cpu: 50m\n limits:\n memory: 256Mi\n cpu: 100m\n- name : csi-nfsplugin\n resource:\n requests:\n memory: 512Mi\n cpu: 250m\n limits:\n memory: 1Gi\n cpu: 500m\n"
+ CSI_CEPHFS_ATTACH_REQUIRED: "true"
+ CSI_RBD_ATTACH_REQUIRED: "true"
+ CSI_NFS_ATTACH_REQUIRED: "true"
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -271,9 +213,12 @@
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
- - apiGroups: ["admissionregistration.k8s.io"]
- resources: ["validatingwebhookconfigurations"]
- verbs: ["create", "get", "delete", "update"]
+ - apiGroups: ["csiaddons.openshift.io"]
+ resources: ["networkfences"]
+ verbs: ["create", "get", "update", "delete", "watch", "list"]
+ - apiGroups: ["apiextensions.k8s.io"]
+ resources: ["customresourcedefinitions"]
+ verbs: ["get"]
---
# Source: rook-ceph/templates/clusterrole.yaml
# The cluster role for managing all the cluster-specific resources in a namespace
@@ -332,9 +277,8 @@
# Node access is needed for determining nodes where mons should run
- nodes
- nodes/proxy
- - services
# Rook watches secrets which it uses to configure access to external resources.
- # e.g., external Ceph cluster; TLS certificates for the admission controller or object store
+ # e.g., external Ceph cluster or object store
- secrets
# Rook watches for changes to the rook-operator-config configmap
- configmaps
@@ -352,6 +296,7 @@
- persistentvolumeclaims
# Rook creates endpoints for mgr and object store access
- endpoints
+ - services
verbs:
- get
- list
@@ -380,6 +325,7 @@
- create
- update
- delete
+ - deletecollection
# The Rook operator must be able to watch all ceph.rook.io resources to reconcile them.
- apiGroups: ["ceph.rook.io"]
resources:
@@ -399,6 +345,7 @@
- cephfilesystemmirrors
- cephfilesystemsubvolumegroups
- cephblockpoolradosnamespaces
+ - cephcosidrivers
verbs:
- get
- list
@@ -467,6 +414,14 @@
- delete
- deletecollection
- apiGroups:
+ - apps
+ resources:
+ # This is to add osd deployment owner ref on key rotation
+ # cron jobs.
+ - deployments/finalizers
+ verbs:
+ - update
+ - apiGroups:
- healthchecking.openshift.io
resources:
- machinedisruptionbudgets
@@ -651,19 +606,7 @@
rules:
- apiGroups: [""]
resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["namespaces"]
- verbs: ["get", "list"]
- - apiGroups: [""]
- resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: ["storage.k8s.io"]
- resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list"]
+ verbs: ["get"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -675,11 +618,14 @@
resources: ["secrets"]
verbs: ["get", "list"]
- apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
+ verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
@@ -688,30 +634,24 @@
verbs: ["list", "watch", "create", "update", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update", "patch"]
+ verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments/status"]
verbs: ["patch"]
- apiGroups: [""]
- resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
resources: ["persistentvolumeclaims/status"]
- verbs: ["update", "patch"]
+ verbs: ["patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
- verbs: ["get", "list", "watch", "update", "patch"]
- - apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents"]
- verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
+ verbs: ["get", "list"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents/status"]
- verbs: ["update", "patch"]
+ resources: ["volumesnapshotcontents"]
+ verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshots/status"]
+ resources: ["volumesnapshotcontents/status"]
verbs: ["update", "patch"]
---
# Source: rook-ceph/templates/clusterrole.yaml
@@ -730,26 +670,23 @@
resources: ["secrets"]
verbs: ["get", "list"]
- apiGroups: [""]
- resources: ["nodes"]
- verbs: ["get", "list", "watch"]
- - apiGroups: [""]
- resources: ["namespaces"]
- verbs: ["get", "list"]
- - apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update"]
+ verbs: ["get", "list"]
- apiGroups: [""]
resources: ["configmaps"]
- verbs: ["get", "list"]
+ verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
+ - apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -762,13 +699,19 @@
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["persistentvolumes"]
- verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
+ verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["storage.k8s.io"]
+ resources: ["storageclasses"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["list", "watch", "create", "update", "patch"]
+ - apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
- verbs: ["get", "list", "watch", "update", "patch"]
+ verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments/status"]
verbs: ["patch"]
@@ -776,71 +719,58 @@
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["storage.k8s.io"]
- resources: ["storageclasses"]
+ resources: ["csinodes"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
- resources: ["events"]
- verbs: ["list", "watch", "create", "update", "patch"]
+ resources: ["persistentvolumeclaims/status"]
+ verbs: ["patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
- verbs: ["get", "list", "watch", "update", "patch"]
- - apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents"]
- verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
+ verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshotcontents/status"]
- verbs: ["update", "patch"]
+ resources: ["volumesnapshotcontents"]
+ verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: ["snapshot.storage.k8s.io"]
- resources: ["volumesnapshots/status"]
- verbs: ["update", "patch"]
- - apiGroups: [""]
- resources: ["persistentvolumeclaims/status"]
+ resources: ["volumesnapshotcontents/status"]
verbs: ["update", "patch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications", "volumereplicationclasses"]
- verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications/finalizers"]
- verbs: ["update"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplications/status"]
- verbs: ["get", "patch", "update"]
- - apiGroups: ["replication.storage.openshift.io"]
- resources: ["volumereplicationclasses/status"]
- verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
+ - apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["storage.k8s.io"]
+ resources: ["csinodes"]
+ verbs: ["get", "list", "watch"]
---
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
+# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
metadata:
- name: 'psp:rook'
+ name: objectstorage-provisioner-role
labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/created-by: helm
-rules:
- - apiGroups:
- - policy
- resources:
- - podsecuritypolicies
- resourceNames:
- - 00-rook-privileged
- verbs:
- - use
+ app.kubernetes.io/part-of: container-object-storage-interface
+ app.kubernetes.io/component: driver-ceph
+ app.kubernetes.io/name: cosi-driver-ceph
+rules:
+ - apiGroups: ["objectstorage.k8s.io"]
+ resources: ["buckets", "bucketaccesses", "bucketclaims", "bucketaccessclasses", "buckets/status", "bucketaccesses/status", "bucketclaims/status", "bucketaccessclasses/status"]
+ verbs: ["get", "list", "watch", "update", "create", "delete"]
+ - apiGroups: ["coordination.k8s.io"]
+ resources: ["leases"]
+ verbs: ["get", "watch", "list", "delete", "update", "create"]
+ - apiGroups: [""]
+ resources: ["secrets", "events"]
+ verbs: ["get", "delete", "update", "create"]
---
# Source: rook-ceph/templates/cluster-rbac.yaml
# Allow the ceph mgr to access cluster-wide resources necessary for the mgr modules
@@ -946,28 +876,30 @@
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
- name: cephfs-csi-nodeplugin
+ name: cephfs-csi-provisioner-role
subjects:
- kind: ServiceAccount
- name: rook-csi-cephfs-plugin-sa
+ name: rook-csi-cephfs-provisioner-sa
namespace: default # namespace:operator
roleRef:
kind: ClusterRole
- name: cephfs-csi-nodeplugin
+ name: cephfs-external-provisioner-runner
apiGroup: rbac.authorization.k8s.io
---
# Source: rook-ceph/templates/clusterrolebinding.yaml
+# This is required by operator-sdk to map the cluster/clusterrolebindings with SA
+# otherwise operator-sdk will create a individual file for these.
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
- name: cephfs-csi-provisioner-role
+ name: cephfs-csi-nodeplugin-role
subjects:
- kind: ServiceAccount
- name: rook-csi-cephfs-provisioner-sa
+ name: rook-csi-cephfs-plugin-sa
namespace: default # namespace:operator
roleRef:
kind: ClusterRole
- name: cephfs-external-provisioner-runner
+ name: cephfs-csi-nodeplugin
apiGroup: rbac.authorization.k8s.io
---
# Source: rook-ceph/templates/clusterrolebinding.yaml
@@ -984,81 +916,24 @@
name: rbd-external-provisioner-runner
apiGroup: rbac.authorization.k8s.io
---
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-ceph-system-psp
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-system
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
+# Source: rook-ceph/templates/clusterrolebinding.yaml
+# RBAC for ceph cosi driver service account
kind: ClusterRoleBinding
-metadata:
- name: rook-csi-cephfs-provisioner-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-cephfs-provisioner-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
metadata:
- name: rook-csi-cephfs-plugin-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
+ name: objectstorage-provisioner-role-binding
+ labels:
+ app.kubernetes.io/part-of: container-object-storage-interface
+ app.kubernetes.io/component: driver-ceph
+ app.kubernetes.io/name: cosi-driver-ceph
subjects:
- kind: ServiceAccount
- name: rook-csi-cephfs-plugin-sa
+ name: objectstorage-provisioner
namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-rbd-plugin-sa-psp
roleRef:
- apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-rbd-plugin-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-rbd-provisioner-sa-psp
-roleRef:
+ name: objectstorage-provisioner-role
apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-rbd-provisioner-sa
- namespace: default # namespace:operator
---
# Source: rook-ceph/templates/cluster-rbac.yaml
kind: Role
@@ -1068,10 +943,10 @@
namespace: default # namespace:cluster
rules:
# this is needed for rook's "key-management" CLI to fetch the vault token from the secret when
- # validating the connection details
+ # validating the connection details and for key rotation operations.
- apiGroups: [""]
resources: ["secrets"]
- verbs: ["get"]
+ verbs: ["get", "update"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
@@ -1131,9 +1006,31 @@
- apiGroups:
- ceph.rook.io
resources:
- - "*"
+ - cephclients
+ - cephclusters
+ - cephblockpools
+ - cephfilesystems
+ - cephnfses
+ - cephobjectstores
+ - cephobjectstoreusers
+ - cephobjectrealms
+ - cephobjectzonegroups
+ - cephobjectzones
+ - cephbuckettopics
+ - cephbucketnotifications
+ - cephrbdmirrors
+ - cephfilesystemmirrors
+ - cephfilesystemsubvolumegroups
+ - cephblockpoolradosnamespaces
+ - cephcosidrivers
verbs:
- - "*"
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - delete
+ - patch
- apiGroups:
- apps
resources:
@@ -1269,6 +1166,7 @@
- create
- update
- delete
+ - deletecollection
- apiGroups:
- batch
resources:
@@ -1284,6 +1182,13 @@
- get
- create
- delete
+ - apiGroups:
+ - multicluster.x-k8s.io
+ resources:
+ - serviceexports
+ verbs:
+ - get
+ - create
---
# Source: rook-ceph/templates/role.yaml
kind: Role
@@ -1292,12 +1197,6 @@
name: cephfs-external-provisioner-cfg
namespace: default # namespace:operator
rules:
- - apiGroups: [""]
- resources: ["endpoints"]
- verbs: ["get", "watch", "list", "delete", "update", "create"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list", "create", "delete"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
@@ -1309,113 +1208,11 @@
name: rbd-external-provisioner-cfg
namespace: default # namespace:operator
rules:
- - apiGroups: [""]
- resources: ["endpoints"]
- verbs: ["get", "watch", "list", "delete", "update", "create"]
- - apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list", "watch", "create", "delete", "update"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
---
# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-default-psp
- namespace: default # namespace:cluster
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: default
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-rgw-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-rgw
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-mgr-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-mgr
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-cmd-reporter-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-cmd-reporter
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-purge-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-purge-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
# Allow the operator to create resources in this cluster's namespace
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@@ -1615,6 +1412,7 @@
kind: Deployment
metadata:
name: rook-ceph-operator
+ namespace: default # namespace:operator
labels:
operator: rook
storage-backend: ceph
@@ -1633,35 +1431,37 @@
labels:
app: rook-ceph-operator
spec:
+ tolerations:
+ - effect: NoExecute
+ key: node.kubernetes.io/unreachable
+ operator: Exists
+ tolerationSeconds: 5
containers:
- name: rook-ceph-operator
- image: "rook/ceph:v1.9.7"
+ image: "rook/ceph:v1.13.3"
imagePullPolicy: IfNotPresent
args: ["ceph", "operator"]
securityContext:
+ capabilities:
+ drop:
+ - ALL
+ runAsGroup: 2016
runAsNonRoot: true
runAsUser: 2016
- runAsGroup: 2016
volumeMounts:
- mountPath: /var/lib/rook
name: rook-config
- mountPath: /etc/ceph
name: default-config-dir
- - mountPath: /etc/webhook
- name: webhook-cert
env:
- name: ROOK_CURRENT_NAMESPACE_ONLY
value: "false"
- name: ROOK_HOSTPATH_REQUIRES_PRIVILEGED
value: "false"
- - name: ROOK_ENABLE_SELINUX_RELABELING
- value: "true"
- name: ROOK_DISABLE_DEVICE_HOTPLUG
value: "false"
- - name: ROOK_ENABLE_DISCOVERY_DAEMON
- value: "false"
- - name: ROOK_DISABLE_ADMISSION_CONTROLLER
- value: "false"
+ - name: ROOK_DISCOVER_DEVICES_INTERVAL
+ value: "60m"
- name: NODE_NAME
valueFrom:
fieldRef:
@@ -1687,5 +1487,7 @@
emptyDir: {}
- name: default-config-dir
emptyDir: {}
- - name: webhook-cert
- emptyDir: {}
+# Source: rook-ceph/templates/securityContextConstraints.yaml
+# scc for the Rook and Ceph daemons
+# for creating cluster in openshift
+--- |
|
Path: @@ -95,6 +95,7 @@
imageFormat: "2"
reclaimPolicy: Delete
allowVolumeExpansion: true
+volumeBindingMode: Immediate
---
# Source: rook-ceph-cluster/templates/rbac.yaml
# Allow the ceph mgr to access cluster-wide resources necessary for the mgr modules
@@ -134,10 +135,10 @@
namespace: default # namespace:cluster
rules:
# this is needed for rook's "key-management" CLI to fetch the vault token from the secret when
- # validating the connection details
+ # validating the connection details and for key rotation operations.
- apiGroups: [""]
resources: ["secrets"]
- verbs: ["get"]
+ verbs: ["get", "update"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
@@ -197,9 +198,31 @@
- apiGroups:
- ceph.rook.io
resources:
- - "*"
+ - cephclients
+ - cephclusters
+ - cephblockpools
+ - cephfilesystems
+ - cephnfses
+ - cephobjectstores
+ - cephobjectstoreusers
+ - cephobjectrealms
+ - cephobjectzonegroups
+ - cephobjectzones
+ - cephbuckettopics
+ - cephbucketnotifications
+ - cephrbdmirrors
+ - cephfilesystemmirrors
+ - cephfilesystemsubvolumegroups
+ - cephblockpoolradosnamespaces
+ - cephcosidrivers
verbs:
- - "*"
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - delete
+ - patch
- apiGroups:
- apps
resources:
@@ -294,102 +317,6 @@
- update
---
# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-default-psp
- namespace: default # namespace:cluster
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: default
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-rgw-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-rgw
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-mgr-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-mgr
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-cmd-reporter-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-cmd-reporter
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-purge-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-purge-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
# Allow the operator to create resources in this cluster's namespace
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@@ -536,11 +463,14 @@
---
---
+
+---
# Source: rook-ceph-cluster/templates/cephblockpool.yaml
apiVersion: ceph.rook.io/v1
kind: CephBlockPool
metadata:
name: ceph-blockpool
+ namespace: default # namespace:cluster
spec:
failureDomain: host
replicated:
@@ -551,12 +481,13 @@
kind: CephCluster
metadata:
name: default
+ namespace: default # namespace:cluster
spec:
monitoring:
enabled: true
cephVersion:
allowUnsupported: false
- image: quay.io/ceph/ceph:v16.2.9
+ image: quay.io/ceph/ceph:v18.2.1
cleanupPolicy:
allowUninstallWithVolumes: false
confirmation: ""
@@ -573,8 +504,6 @@
urlPrefix: /
dataDirHostPath: /var/lib/rook
disruptionManagement:
- machineDisruptionBudgetNamespace: openshift-machine-api
- manageMachineDisruptionBudgets: false
managePodBudgets: true
osdMaintenanceTimeout: 30
pgHealthCheckTimeout: 0
@@ -596,6 +525,10 @@
disabled: false
osd:
disabled: false
+ logCollector:
+ enabled: true
+ maxLogSize: 500M
+ periodicity: daily
mgr:
allowMultiplePerNode: false
count: 2
@@ -605,6 +538,13 @@
mon:
allowMultiplePerNode: false
count: 3
+ network:
+ connections:
+ compression:
+ enabled: false
+ encryption:
+ enabled: false
+ requireMsgr2: false
priorityClassNames:
mgr: system-cluster-critical
mon: system-node-critical
@@ -625,6 +565,13 @@
requests:
cpu: 100m
memory: 60Mi
+ exporter:
+ limits:
+ cpu: 250m
+ memory: 128Mi
+ requests:
+ cpu: 50m
+ memory: 50Mi
logcollector:
limits:
cpu: 500m
@@ -661,9 +608,6 @@
cpu: 1000m
memory: 4Gi
prepareosd:
- limits:
- cpu: 500m
- memory: 400Mi
requests:
cpu: 500m
memory: 50Mi |
renovate
bot
force-pushed
the
renovate/rook-ceph-suite
branch
from
f7bffe6 to
8490003
Compare
renovate
bot
force-pushed
the
renovate/rook-ceph-suite
branch
from
8490003 to
dadead3
Compare
renovate
bot
force-pushed
the
renovate/rook-ceph-suite
branch
from
dadead3 to
b64645e
Compare
renovate
bot
force-pushed
the
renovate/rook-ceph-suite
branch
from
b64645e to
27ab86e
Compare
| datasource | package | from | to | | ---------- | ----------------- | ------ | ------- | | helm | rook-ceph | v1.9.7 | v1.14.0 | | helm | rook-ceph-cluster | v1.9.7 | v1.14.0 | | docker | rook/ceph | v1.9.7 | v1.14.0 |
renovate
bot
force-pushed
the
renovate/rook-ceph-suite
branch
from
27ab86e to
d11dc60
Compare
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v1.9.7->v1.10.6v1.9.7->v1.10.6v1.9.7->v1.10.6⚠ Dependency Lookup Warnings ⚠
Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information.
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Renovate will not automatically rebase this PR, because other commits have been found.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR has been generated by Renovate Bot.