technofab/zfs-localpv
1
0
Fork 0
mirror of https://github.com/TECHNOFAB11/zfs-localpv.git synced 2025-12-11 22:10:11 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

refact(charts): add pod security policy for zfslocalpv charts (#290)

Browse source 
Signed-off-by: prateekpandey14 <prateek.pandey@mayadata.io>
This commit is contained in:
Prateek Pandey 2021-02-15 15:03:40 +05:30 committed by GitHub
parent 36e0f69fd0
commit 62e5b57d90
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 34 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
deploy/helm/charts/Chart.yaml
View file

@ -1,7 +1,7 @@
apiVersion: v2 apiVersion: v2
name: zfs-localpv name: zfs-localpv
description: CSI Driver for dynamic provisioning of ZFS Persistent Local Volumes. description: CSI Driver for dynamic provisioning of ZFS Persistent Local Volumes.
version: 1.3.0 version: 1.3.1
appVersion: 1.3.0 appVersion: 1.3.0
icon: https://raw.githubusercontent.com/cncf/artwork/master/projects/openebs/icon/color/openebs-icon-color.png icon: https://raw.githubusercontent.com/cncf/artwork/master/projects/openebs/icon/color/openebs-icon-color.png
home: http://www.openebs.io/ home: http://www.openebs.io/

1
deploy/helm/charts/README.md
View file

@ -118,6 +118,7 @@ The following table lists the configurable parameters of the OpenEBS ZFS Localpv
| `zfsController.nodeSelector`| Nodeselector for zfs localpv controller statefulset pods| `""`| | `zfsController.nodeSelector`| Nodeselector for zfs localpv controller statefulset pods| `""`|
| `zfsController.tolerations` | zfs localpv controller statefulset's pod toleration values | `""`| | `zfsController.tolerations` | zfs localpv controller statefulset's pod toleration values | `""`|
| `zfsController.securityContext` | Seurity context for zfs localpv controller statefulset container | `""`| | `zfsController.securityContext` | Seurity context for zfs localpv controller statefulset container | `""`|
| `rbac.pspEnabled` | Enable PodSecurityPolicy | `false` |
| `serviceAccount.zfsNode.create` | Create a service account for zfsnode or not| `true`| | `serviceAccount.zfsNode.create` | Create a service account for zfsnode or not| `true`|
| `serviceAccount.zfsNode.name` | Name for the zfsnode service account| `openebs-zfs-node-sa`| | `serviceAccount.zfsNode.name` | Name for the zfsnode service account| `openebs-zfs-node-sa`|
| `serviceAccount.zfsController.create` | Create a service account for zfs localpv controller or not| `true`| | `serviceAccount.zfsController.create` | Create a service account for zfs localpv controller or not| `true`|

27
deploy/helm/charts/templates/psp.yaml Normal file
View file

@ -0,0 +1,27 @@
{{- if .Values.rbac.pspEnabled }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ template "zfslocalpv.fullname" . }}-psp
{{- with .Values.zfsNode.annotations }}
annotations: {{ toYaml . | nindent 4 }}
{{- end }}
labels:
{{- include "zfslocalpv.zfsNode.labels" . | nindent 4 }}
spec:
privileged: true
allowPrivilegeEscalation: true
allowedCapabilities: ['*']
volumes: ['*']
hostNetwork: true
hostIPC: true
hostPID: true
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
{{- end }}

5
deploy/helm/charts/values.yaml
View file

@ -7,6 +7,11 @@ release:
imagePullSecrets: imagePullSecrets:
# - name: "image-pull-secret" # - name: "image-pull-secret"
rbac:
# rbac.pspEnabled: `true` if PodSecurityPolicy resources should be created
pspEnabled: false
# zfsNode contains the configurables for # zfsNode contains the configurables for
# the zfs node daemonset # the zfs node daemonset
zfsNode: zfsNode: