-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
export default SecurityContextConstraints for OCP clusters #68
base: main
Are you sure you want to change the base?
Conversation
api/ocp/scc.go
Outdated
|
||
// NewSecurityContextConstraints exports a default configuration of the | ||
// Security Context Constraints to deploy ceph-csi-operator in an OCP cluster | ||
func NewSecurityContextConstraints(namespace string, name string) *secv1.SecurityContextConstraints { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we need to scc.yaml in config folder which is required for upstream users and we can use it as template here and make it customizable with serviceaccount name and namespace.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
add scc.yaml as a template, initially followed that route. but importing it threw some errors, so pivoted to generating the yaml from go code.
but there was some issue with me pushing the package, that resulted the issue. pivoted back to the template
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are some improvement required, lets talk about it in today's standup
3657a34
to
2aead8e
Compare
api/ocp/scc.yaml
Outdated
- system:serviceaccount:{{.Namespace}}:csi-rbd-ctrlplugin-sa | ||
- system:serviceaccount:{{.Namespace}}:csi-cephfs-ctrlplugin-sa | ||
- system:serviceaccount:{{.Namespace}}:csi-nfs-ctrlplugin-sa | ||
- system:serviceaccount:{{.Namespace}}:csi-rbd-nodeplugin-sa | ||
- system:serviceaccount:{{.Namespace}}:csi-cephfs-nodeplugin-sa |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Having a template here doesnt help upstream Rook users. we need complete yaml where Rook or user can use it directly
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
@weirdwiz This PR is trying to attack multiple things at once:
Please separate into two different PRs |
Signed-off-by: Divyansh Kamboj <[email protected]>
this commit exports SecurityContextConstraints to let the user deploy the ceph-csi-operator in OCP clusters Signed-off-by: Divyansh Kamboj <[email protected]>
@weirdwiz Can you please rebase this and get rid of the first commit? (which is already addressed on a different PR that got merged) |
@weirdwiz ping |
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in two weeks if no further activity occurs. Thank you for your contributions. |
Describe what this PR does
This PR exports the SecurityContextConstraints for admins deploying the ceph-csi-operators in OCP clusters
Is there anything that requires special attention
Do you have any questions?
Is the change backward compatible?
Are there concerns around backward compatibility?
Provide any external context for the change, if any.
For example:
Related issues
Mention any github issues relevant to this PR. Adding below line
will help to auto close the issue once the PR is merged.
Fixes: #issue_number
Future concerns
List items that are not part of the PR and do not impact it's
functionality, but are work items that can be taken up subsequently.
Checklist:
guidelines in the developer
guide.
Request
notes
updated with breaking and/or notable changes for the next major release.