259 lines
6.9 KiB
YAML
259 lines
6.9 KiB
YAML
####################################################################################################
|
|
# This Pod Security Policy (PSP) allows Rook to run in Kubernetes environments using PSPs
|
|
####################################################################################################
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: 'psp:rook'
|
|
labels:
|
|
operator: rook
|
|
storage-backend: ceph
|
|
app.kubernetes.io/part-of: rook-ceph-operator
|
|
rules:
|
|
- apiGroups:
|
|
- policy
|
|
resources:
|
|
- podsecuritypolicies
|
|
resourceNames:
|
|
- 00-rook-privileged
|
|
verbs:
|
|
- use
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: rook-ceph-system-psp
|
|
labels:
|
|
operator: rook
|
|
storage-backend: ceph
|
|
app.kubernetes.io/part-of: rook-ceph-operator
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: 'psp:rook'
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: rook-ceph-system
|
|
namespace: rook-ceph # namespace:operator
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: rook-csi-cephfs-plugin-sa-psp
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: 'psp:rook'
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: rook-csi-cephfs-plugin-sa
|
|
namespace: rook-ceph # namespace:operator
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: rook-csi-cephfs-provisioner-sa-psp
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: 'psp:rook'
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: rook-csi-cephfs-provisioner-sa
|
|
namespace: rook-ceph # namespace:operator
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: rook-csi-rbd-plugin-sa-psp
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: 'psp:rook'
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: rook-csi-rbd-plugin-sa
|
|
namespace: rook-ceph # namespace:operator
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: rook-csi-rbd-provisioner-sa-psp
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: 'psp:rook'
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: rook-csi-rbd-provisioner-sa
|
|
namespace: rook-ceph # namespace:operator
|
|
---
|
|
# We expect most Kubernetes teams to follow the Kubernetes docs and have these PSPs.
|
|
# * privileged (for kube-system namespace)
|
|
# * restricted (for all logged in users)
|
|
#
|
|
# PSPs are applied based on the first match alphabetically. `rook-ceph-operator` comes after
|
|
# `restricted` alphabetically, so we name this `00-rook-privileged`, so it stays somewhere
|
|
# close to the top and so `rook-system` gets the intended PSP. This may need to be renamed in
|
|
# environments with other `00`-prefixed PSPs.
|
|
#
|
|
# More on PSP ordering: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#policy-order
|
|
apiVersion: policy/v1beta1
|
|
kind: PodSecurityPolicy
|
|
metadata:
|
|
name: 00-rook-privileged
|
|
annotations:
|
|
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
|
|
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
|
|
spec:
|
|
privileged: true
|
|
allowedCapabilities:
|
|
# required by CSI
|
|
- SYS_ADMIN
|
|
- MKNOD
|
|
fsGroup:
|
|
rule: RunAsAny
|
|
# runAsUser, supplementalGroups - Rook needs to run some pods as root
|
|
# Ceph pods could be run as the Ceph user, but that user isn't always known ahead of time
|
|
runAsUser:
|
|
rule: RunAsAny
|
|
supplementalGroups:
|
|
rule: RunAsAny
|
|
# seLinux - seLinux context is unknown ahead of time; set if this is well-known
|
|
seLinux:
|
|
rule: RunAsAny
|
|
volumes:
|
|
# recommended minimum set
|
|
- configMap
|
|
- downwardAPI
|
|
- emptyDir
|
|
- persistentVolumeClaim
|
|
- secret
|
|
- projected
|
|
# required for Rook
|
|
- hostPath
|
|
# allowedHostPaths can be set to Rook's known host volume mount points when they are fully-known
|
|
# allowedHostPaths:
|
|
# - pathPrefix: "/run/udev" # for OSD prep
|
|
# readOnly: false
|
|
# - pathPrefix: "/dev" # for OSD prep
|
|
# readOnly: false
|
|
# - pathPrefix: "/var/lib/rook" # or whatever the dataDirHostPath value is set to
|
|
# readOnly: false
|
|
# Ceph requires host IPC for setting up encrypted devices
|
|
hostIPC: true
|
|
# Ceph OSDs need to share the same PID namespace
|
|
hostPID: true
|
|
# hostNetwork can be set to 'false' if host networking isn't used
|
|
hostNetwork: true
|
|
hostPorts:
|
|
# Ceph messenger protocol v1
|
|
- min: 6789
|
|
max: 6790 # <- support old default port
|
|
# Ceph messenger protocol v2
|
|
- min: 3300
|
|
max: 3300
|
|
# Ceph RADOS ports for OSDs, MDSes
|
|
- min: 6800
|
|
max: 7300
|
|
# # Ceph dashboard port HTTP (not recommended)
|
|
# - min: 7000
|
|
# max: 7000
|
|
# Ceph dashboard port HTTPS
|
|
- min: 8443
|
|
max: 8443
|
|
# Ceph mgr Prometheus Metrics
|
|
- min: 9283
|
|
max: 9283
|
|
# port for CSIAddons
|
|
- min: 9070
|
|
max: 9070
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: rook-ceph-cmd-reporter-psp
|
|
namespace: rook-ceph # namespace:cluster
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: psp:rook
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: rook-ceph-cmd-reporter
|
|
namespace: rook-ceph # namespace:cluster
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: rook-ceph-default-psp
|
|
namespace: rook-ceph # namespace:cluster
|
|
labels:
|
|
operator: rook
|
|
storage-backend: ceph
|
|
app.kubernetes.io/part-of: rook-ceph-operator
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: psp:rook
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: default
|
|
namespace: rook-ceph # namespace:cluster
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: rook-ceph-mgr-psp
|
|
namespace: rook-ceph # namespace:cluster
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: psp:rook
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: rook-ceph-mgr
|
|
namespace: rook-ceph # namespace:cluster
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: rook-ceph-osd-psp
|
|
namespace: rook-ceph # namespace:cluster
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: psp:rook
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: rook-ceph-osd
|
|
namespace: rook-ceph # namespace:cluster
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: rook-ceph-purge-osd-psp
|
|
namespace: rook-ceph # namespace:cluster
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: psp:rook
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: rook-ceph-purge-osd
|
|
namespace: rook-ceph # namespace:cluster
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: rook-ceph-rgw-psp
|
|
namespace: rook-ceph # namespace:cluster
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: psp:rook
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: rook-ceph-rgw
|
|
namespace: rook-ceph # namespace:cluster |