-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(deps): update rook-ceph-suite to v1.9.12 (patch) #1631
base: main
Are you sure you want to change the base?
Conversation
Path:
|
Path: @@ -1569,7 +1569,7 @@
spec:
containers:
- name: rook-ceph-operator
- image: "rook/ceph:v1.9.4"
+ image: "rook/ceph:v1.9.5"
imagePullPolicy: IfNotPresent
args: ["ceph", "operator"]
securityContext: |
Path: @@ -11809,7 +11809,7 @@
spec:
containers:
- name: rook-ceph-operator
- image: "rook/ceph:v1.9.4"
+ image: "rook/ceph:v1.9.5"
imagePullPolicy: IfNotPresent
args: ["ceph", "operator"]
securityContext: |
fe8a326
to
a3bad1f
Compare
Path: @@ -719,7 +719,7 @@
prepareosd:
limits:
cpu: 500m
- memory: 200Mi
+ memory: 400Mi
requests:
cpu: 500m
memory: 50Mi |
Path: @@ -10998,6 +10998,9 @@
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
+ - apiGroups: [""]
+ resources: ["serviceaccounts/token"]
+ verbs: ["create"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -11065,6 +11068,9 @@
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
+ - apiGroups: [""]
+ resources: ["serviceaccounts/token"]
+ verbs: ["create"]
---
# Source: rook-ceph/templates/psp.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -11809,7 +11815,7 @@
spec:
containers:
- name: rook-ceph-operator
- image: "rook/ceph:v1.9.4"
+ image: "rook/ceph:v1.9.6"
imagePullPolicy: IfNotPresent
args: ["ceph", "operator"]
securityContext: |
Path: @@ -758,6 +758,9 @@
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
+ - apiGroups: [""]
+ resources: ["serviceaccounts/token"]
+ verbs: ["create"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -825,6 +828,9 @@
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
+ - apiGroups: [""]
+ resources: ["serviceaccounts/token"]
+ verbs: ["create"]
---
# Source: rook-ceph/templates/psp.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -1569,7 +1575,7 @@
spec:
containers:
- name: rook-ceph-operator
- image: "rook/ceph:v1.9.4"
+ image: "rook/ceph:v1.9.6"
imagePullPolicy: IfNotPresent
args: ["ceph", "operator"]
securityContext: |
a3bad1f
to
565e265
Compare
Path: @@ -91,7 +91,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -108,7 +108,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -125,7 +125,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -153,7 +153,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -170,7 +170,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -10509,7 +10509,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
# Most resources are represented by a string representation of their name, such as "pods", just as it appears in the URL for the relevant API endpoint.
@@ -10536,7 +10536,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -10572,7 +10572,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -10765,7 +10765,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -10826,7 +10826,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups: [""]
@@ -10974,7 +10974,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups: [""]
@@ -10998,6 +10998,9 @@
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
+ - apiGroups: [""]
+ resources: ["serviceaccounts/token"]
+ verbs: ["create"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -11065,6 +11068,9 @@
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
+ - apiGroups: [""]
+ resources: ["serviceaccounts/token"]
+ verbs: ["create"]
---
# Source: rook-ceph/templates/psp.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -11075,7 +11081,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -11126,7 +11132,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -11147,7 +11153,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -11238,7 +11244,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -11446,7 +11452,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -11537,7 +11543,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -11745,7 +11751,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -11795,13 +11801,15 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
spec:
replicas: 1
selector:
matchLabels:
app: rook-ceph-operator
+ strategy:
+ type: Recreate
template:
metadata:
labels:
@@ -11809,7 +11817,7 @@
spec:
containers:
- name: rook-ceph-operator
- image: "rook/ceph:v1.9.4"
+ image: "rook/ceph:v1.9.7"
imagePullPolicy: IfNotPresent
args: ["ceph", "operator"]
securityContext: |
Path: @@ -91,7 +91,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -108,7 +108,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -125,7 +125,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -153,7 +153,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -170,7 +170,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -269,7 +269,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
# Most resources are represented by a string representation of their name, such as "pods", just as it appears in the URL for the relevant API endpoint.
@@ -296,7 +296,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -332,7 +332,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -525,7 +525,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -586,7 +586,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups: [""]
@@ -734,7 +734,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups: [""]
@@ -758,6 +758,9 @@
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
+ - apiGroups: [""]
+ resources: ["serviceaccounts/token"]
+ verbs: ["create"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -825,6 +828,9 @@
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
+ - apiGroups: [""]
+ resources: ["serviceaccounts/token"]
+ verbs: ["create"]
---
# Source: rook-ceph/templates/psp.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -835,7 +841,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -886,7 +892,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -907,7 +913,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -998,7 +1004,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -1206,7 +1212,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -1297,7 +1303,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -1505,7 +1511,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -1555,13 +1561,15 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
spec:
replicas: 1
selector:
matchLabels:
app: rook-ceph-operator
+ strategy:
+ type: Recreate
template:
metadata:
labels:
@@ -1569,7 +1577,7 @@
spec:
containers:
- name: rook-ceph-operator
- image: "rook/ceph:v1.9.4"
+ image: "rook/ceph:v1.9.7"
imagePullPolicy: IfNotPresent
args: ["ceph", "operator"]
securityContext: |
Path: @@ -9,7 +9,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -26,7 +26,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -43,7 +43,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -71,7 +71,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -105,7 +105,7 @@
kind: StorageClass
metadata:
name: ceph-bucket
-provisioner: default.ceph.rook.io/bucket
+provisioner: rook-ceph.ceph.rook.io/bucket
reclaimPolicy: Delete
parameters:
objectStoreName: ceph-objectstore
@@ -319,7 +319,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -719,7 +719,7 @@
prepareosd:
limits:
cpu: 500m
- memory: 200Mi
+ memory: 400Mi
requests:
cpu: 500m
memory: 50Mi |
565e265
to
ba03185
Compare
Path: @@ -9,7 +9,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -26,7 +26,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -43,7 +43,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -71,7 +71,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -105,7 +105,7 @@
kind: StorageClass
metadata:
name: ceph-bucket
-provisioner: default.ceph.rook.io/bucket
+provisioner: rook-ceph.ceph.rook.io/bucket
reclaimPolicy: Delete
parameters:
objectStoreName: ceph-objectstore
@@ -319,7 +319,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -598,7 +598,7 @@
enabled: true
cephVersion:
allowUnsupported: false
- image: quay.io/ceph/ceph:v16.2.9
+ image: quay.io/ceph/ceph:v16.2.10
cleanupPolicy:
allowUninstallWithVolumes: false
confirmation: ""
@@ -719,7 +719,7 @@
prepareosd:
limits:
cpu: 500m
- memory: 200Mi
+ memory: 400Mi
requests:
cpu: 500m
memory: 50Mi |
Path: @@ -91,7 +91,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -108,7 +108,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -125,7 +125,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -153,7 +153,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -170,7 +170,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -269,7 +269,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
# Most resources are represented by a string representation of their name, such as "pods", just as it appears in the URL for the relevant API endpoint.
@@ -296,7 +296,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -332,7 +332,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -525,7 +525,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -586,7 +586,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups: [""]
@@ -734,7 +734,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups: [""]
@@ -758,6 +758,9 @@
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
+ - apiGroups: [""]
+ resources: ["serviceaccounts/token"]
+ verbs: ["create"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -825,6 +828,9 @@
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
+ - apiGroups: [""]
+ resources: ["serviceaccounts/token"]
+ verbs: ["create"]
---
# Source: rook-ceph/templates/psp.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -835,7 +841,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -886,7 +892,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -907,7 +913,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -998,7 +1004,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -1206,7 +1212,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -1297,7 +1303,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -1505,7 +1511,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -1555,13 +1561,15 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
spec:
replicas: 1
selector:
matchLabels:
app: rook-ceph-operator
+ strategy:
+ type: Recreate
template:
metadata:
labels:
@@ -1569,7 +1577,7 @@
spec:
containers:
- name: rook-ceph-operator
- image: "rook/ceph:v1.9.4"
+ image: "rook/ceph:v1.9.8"
imagePullPolicy: IfNotPresent
args: ["ceph", "operator"]
securityContext:
@@ -1583,6 +1591,10 @@
name: default-config-dir
- mountPath: /etc/webhook
name: webhook-cert
+ ports:
+ - containerPort: 9443
+ name: https-webhook
+ protocol: TCP
env:
- name: ROOK_CURRENT_NAMESPACE_ONLY
value: "false" |
Path: @@ -91,7 +91,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -108,7 +108,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -125,7 +125,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -153,7 +153,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -170,7 +170,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -8842,6 +8842,11 @@
type: object
type: object
type: object
+ hostNetwork:
+ description: Whether host networking is enabled for the rgw daemon. If not set, the network settings from the cluster CR will be applied.
+ nullable: true
+ type: boolean
+ x-kubernetes-preserve-unknown-fields: true
metadataPool:
description: The metadata pool settings
nullable: true
@@ -10509,7 +10514,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
# Most resources are represented by a string representation of their name, such as "pods", just as it appears in the URL for the relevant API endpoint.
@@ -10536,7 +10541,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -10572,7 +10577,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -10765,7 +10770,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -10826,7 +10831,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups: [""]
@@ -10974,7 +10979,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups: [""]
@@ -10998,6 +11003,9 @@
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
+ - apiGroups: [""]
+ resources: ["serviceaccounts/token"]
+ verbs: ["create"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -11065,6 +11073,9 @@
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
+ - apiGroups: [""]
+ resources: ["serviceaccounts/token"]
+ verbs: ["create"]
---
# Source: rook-ceph/templates/psp.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -11075,7 +11086,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -11126,7 +11137,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -11147,7 +11158,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -11238,7 +11249,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -11446,7 +11457,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -11537,7 +11548,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -11745,7 +11756,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -11795,13 +11806,15 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
spec:
replicas: 1
selector:
matchLabels:
app: rook-ceph-operator
+ strategy:
+ type: Recreate
template:
metadata:
labels:
@@ -11809,7 +11822,7 @@
spec:
containers:
- name: rook-ceph-operator
- image: "rook/ceph:v1.9.4"
+ image: "rook/ceph:v1.9.8"
imagePullPolicy: IfNotPresent
args: ["ceph", "operator"]
securityContext:
@@ -11823,6 +11836,10 @@
name: default-config-dir
- mountPath: /etc/webhook
name: webhook-cert
+ ports:
+ - containerPort: 9443
+ name: https-webhook
+ protocol: TCP
env:
- name: ROOK_CURRENT_NAMESPACE_ONLY
value: "false" |
ba03185
to
b7a0ed1
Compare
Path: @@ -91,7 +91,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -108,7 +108,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -125,7 +125,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -153,7 +153,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -170,7 +170,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -1565,8 +1565,16 @@
enabled:
description: Enabled represents whether the log collector is enabled
type: boolean
+ maxLogSize:
+ anyOf:
+ - type: integer
+ - type: string
+ description: MaxLogSize is the maximum size of the log per ceph daemons. Must be at least 1M.
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
periodicity:
- description: Periodicity is the periodicity of the log rotation
+ description: Periodicity is the periodicity of the log rotation.
+ pattern: ^$|^(hourly|daily|weekly|monthly|1h|24h|1d)$
type: string
type: object
mgr:
@@ -8842,6 +8850,11 @@
type: object
type: object
type: object
+ hostNetwork:
+ description: Whether host networking is enabled for the rgw daemon. If not set, the network settings from the cluster CR will be applied.
+ nullable: true
+ type: boolean
+ x-kubernetes-preserve-unknown-fields: true
metadataPool:
description: The metadata pool settings
nullable: true
@@ -10509,7 +10522,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
# Most resources are represented by a string representation of their name, such as "pods", just as it appears in the URL for the relevant API endpoint.
@@ -10536,7 +10549,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -10572,7 +10585,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -10765,7 +10778,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -10826,7 +10839,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups: [""]
@@ -10974,7 +10987,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups: [""]
@@ -10998,6 +11011,9 @@
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
+ - apiGroups: [""]
+ resources: ["serviceaccounts/token"]
+ verbs: ["create"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -11065,6 +11081,9 @@
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
+ - apiGroups: [""]
+ resources: ["serviceaccounts/token"]
+ verbs: ["create"]
---
# Source: rook-ceph/templates/psp.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -11075,7 +11094,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -11126,7 +11145,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -11147,7 +11166,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -11238,7 +11257,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -11446,7 +11465,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -11537,7 +11556,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -11745,7 +11764,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -11795,13 +11814,15 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
spec:
replicas: 1
selector:
matchLabels:
app: rook-ceph-operator
+ strategy:
+ type: Recreate
template:
metadata:
labels:
@@ -11809,7 +11830,7 @@
spec:
containers:
- name: rook-ceph-operator
- image: "rook/ceph:v1.9.4"
+ image: "rook/ceph:v1.9.9"
imagePullPolicy: IfNotPresent
args: ["ceph", "operator"]
securityContext:
@@ -11823,6 +11844,10 @@
name: default-config-dir
- mountPath: /etc/webhook
name: webhook-cert
+ ports:
+ - containerPort: 9443
+ name: https-webhook
+ protocol: TCP
env:
- name: ROOK_CURRENT_NAMESPACE_ONLY
value: "false" |
Path: @@ -9,7 +9,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -26,7 +26,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -43,7 +43,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -71,7 +71,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -105,7 +105,7 @@
kind: StorageClass
metadata:
name: ceph-bucket
-provisioner: default.ceph.rook.io/bucket
+provisioner: rook-ceph.ceph.rook.io/bucket
reclaimPolicy: Delete
parameters:
objectStoreName: ceph-objectstore
@@ -319,7 +319,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -598,7 +598,7 @@
enabled: true
cephVersion:
allowUnsupported: false
- image: quay.io/ceph/ceph:v16.2.9
+ image: quay.io/ceph/ceph:v16.2.10
cleanupPolicy:
allowUninstallWithVolumes: false
confirmation: ""
@@ -719,7 +719,7 @@
prepareosd:
limits:
cpu: 500m
- memory: 200Mi
+ memory: 400Mi
requests:
cpu: 500m
memory: 50Mi |
Path: @@ -91,7 +91,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -108,7 +108,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -125,7 +125,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -153,7 +153,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -170,7 +170,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -269,7 +269,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
# Most resources are represented by a string representation of their name, such as "pods", just as it appears in the URL for the relevant API endpoint.
@@ -296,7 +296,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -332,7 +332,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -525,7 +525,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -586,7 +586,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups: [""]
@@ -734,7 +734,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups: [""]
@@ -758,6 +758,9 @@
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
+ - apiGroups: [""]
+ resources: ["serviceaccounts/token"]
+ verbs: ["create"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -825,6 +828,9 @@
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
+ - apiGroups: [""]
+ resources: ["serviceaccounts/token"]
+ verbs: ["create"]
---
# Source: rook-ceph/templates/psp.yaml
apiVersion: rbac.authorization.k8s.io/v1
@@ -835,7 +841,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -886,7 +892,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -907,7 +913,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -998,7 +1004,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -1206,7 +1212,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -1297,7 +1303,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -1505,7 +1511,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -1555,13 +1561,15 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
spec:
replicas: 1
selector:
matchLabels:
app: rook-ceph-operator
+ strategy:
+ type: Recreate
template:
metadata:
labels:
@@ -1569,7 +1577,7 @@
spec:
containers:
- name: rook-ceph-operator
- image: "rook/ceph:v1.9.4"
+ image: "rook/ceph:v1.9.9"
imagePullPolicy: IfNotPresent
args: ["ceph", "operator"]
securityContext:
@@ -1583,6 +1591,10 @@
name: default-config-dir
- mountPath: /etc/webhook
name: webhook-cert
+ ports:
+ - containerPort: 9443
+ name: https-webhook
+ protocol: TCP
env:
- name: ROOK_CURRENT_NAMESPACE_ONLY
value: "false" |
b7a0ed1
to
ac9a9f6
Compare
Path: @@ -9,7 +9,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -26,7 +26,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -43,7 +43,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -71,7 +71,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -105,7 +105,7 @@
kind: StorageClass
metadata:
name: ceph-bucket
-provisioner: default.ceph.rook.io/bucket
+provisioner: rook-ceph.ceph.rook.io/bucket
reclaimPolicy: Delete
parameters:
objectStoreName: ceph-objectstore
@@ -319,7 +319,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -598,7 +598,7 @@
enabled: true
cephVersion:
allowUnsupported: false
- image: quay.io/ceph/ceph:v16.2.9
+ image: quay.io/ceph/ceph:v16.2.10
cleanupPolicy:
allowUninstallWithVolumes: false
confirmation: ""
@@ -719,7 +719,7 @@
prepareosd:
limits:
cpu: 500m
- memory: 200Mi
+ memory: 400Mi
requests:
cpu: 500m
memory: 50Mi |
ac9a9f6
to
7ebd4a4
Compare
Path: @@ -9,7 +9,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -26,7 +26,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -43,7 +43,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -71,7 +71,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -310,102 +310,6 @@
- update
---
# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-default-psp
- namespace: default # namespace:cluster
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: default
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-rgw-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-rgw
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-mgr-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-mgr
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-cmd-reporter-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-cmd-reporter
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-purge-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-purge-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
# Allow the operator to create resources in this cluster's namespace
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@@ -598,7 +502,7 @@
enabled: true
cephVersion:
allowUnsupported: false
- image: quay.io/ceph/ceph:v16.2.9
+ image: quay.io/ceph/ceph:v16.2.10
cleanupPolicy:
allowUninstallWithVolumes: false
confirmation: ""
@@ -719,7 +623,7 @@
prepareosd:
limits:
cpu: 500m
- memory: 200Mi
+ memory: 400Mi
requests:
cpu: 500m
memory: 50Mi |
Path: @@ -1,85 +1,3 @@
-# Source: rook-ceph/templates/psp.yaml
-# We expect most Kubernetes teams to follow the Kubernetes docs and have these PSPs.
-# * privileged (for kube-system namespace)
-# * restricted (for all logged in users)
-#
-# PSPs are applied based on the first match alphabetically. `rook-ceph-operator` comes after
-# `restricted` alphabetically, so we name this `00-rook-privileged`, so it stays somewhere
-# close to the top and so `rook-system` gets the intended PSP. This may need to be renamed in
-# environments with other `00`-prefixed PSPs.
-#
-# More on PSP ordering: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#policy-order
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
- name: 00-rook-privileged
- annotations:
- seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
- seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
-spec:
- privileged: true
- allowedCapabilities:
- # required by CSI
- - SYS_ADMIN
- - MKNOD
- fsGroup:
- rule: RunAsAny
- # runAsUser, supplementalGroups - Rook needs to run some pods as root
- # Ceph pods could be run as the Ceph user, but that user isn't always known ahead of time
- runAsUser:
- rule: RunAsAny
- supplementalGroups:
- rule: RunAsAny
- # seLinux - seLinux context is unknown ahead of time; set if this is well-known
- seLinux:
- rule: RunAsAny
- volumes:
- # recommended minimum set
- - configMap
- - downwardAPI
- - emptyDir
- - persistentVolumeClaim
- - secret
- - projected
- # required for Rook
- - hostPath
- # allowedHostPaths can be set to Rook's known host volume mount points when they are fully-known
- # allowedHostPaths:
- # - pathPrefix: "/run/udev" # for OSD prep
- # readOnly: false
- # - pathPrefix: "/dev" # for OSD prep
- # readOnly: false
- # - pathPrefix: "/var/lib/rook" # or whatever the dataDirHostPath value is set to
- # readOnly: false
- # Ceph requires host IPC for setting up encrypted devices
- hostIPC: true
- # Ceph OSDs need to share the same PID namespace
- hostPID: true
- # hostNetwork can be set to 'false' if host networking isn't used
- hostNetwork: true
- hostPorts:
- # Ceph messenger protocol v1
- - min: 6789
- max: 6790 # <- support old default port
- # Ceph messenger protocol v2
- - min: 3300
- max: 3300
- # Ceph RADOS ports for OSDs, MDSes
- - min: 6800
- max: 7300
- # # Ceph dashboard port HTTP (not recommended)
- # - min: 7000
- # max: 7000
- # Ceph dashboard port HTTPS
- - min: 8443
- max: 8443
- # Ceph mgr Prometheus Metrics
- - min: 9283
- max: 9283
- # port for CSIAddons
- - min: 9070
- max: 9070
----
# Source: rook-ceph/templates/cluster-rbac.yaml
# Service account for Ceph OSDs
apiVersion: v1
@@ -91,7 +9,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -108,7 +26,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -125,7 +43,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -153,7 +71,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -170,7 +88,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -1565,8 +1483,16 @@
enabled:
description: Enabled represents whether the log collector is enabled
type: boolean
+ maxLogSize:
+ anyOf:
+ - type: integer
+ - type: string
+ description: MaxLogSize is the maximum size of the log per ceph daemons. Must be at least 1M.
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
periodicity:
- description: Periodicity is the periodicity of the log rotation
+ description: Periodicity is the periodicity of the log rotation.
+ pattern: ^$|^(hourly|daily|weekly|monthly|1h|24h|1d)$
type: string
type: object
mgr:
@@ -7897,6 +7823,11 @@
type: object
nullable: true
type: array
+ hostNetwork:
+ description: Whether host networking is enabled for the rgw daemon. If not set, the network settings from the cluster CR will be applied.
+ nullable: true
+ type: boolean
+ x-kubernetes-preserve-unknown-fields: true
instances:
description: The number of pods in the rgw replicaset.
format: int32
@@ -10509,7 +10440,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
# Most resources are represented by a string representation of their name, such as "pods", just as it appears in the URL for the relevant API endpoint.
@@ -10536,7 +10467,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -10572,7 +10503,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -10765,7 +10696,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -10826,7 +10757,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups: [""]
@@ -10974,7 +10905,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups: [""]
@@ -10998,6 +10929,9 @@
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
+ - apiGroups: [""]
+ resources: ["serviceaccounts/token"]
+ verbs: ["create"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -11065,27 +10999,9 @@
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: 'psp:rook'
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
- app.kubernetes.io/created-by: helm
-rules:
- - apiGroups:
- - policy
- resources:
- - podsecuritypolicies
- resourceNames:
- - 00-rook-privileged
- verbs:
- - use
+ - apiGroups: [""]
+ resources: ["serviceaccounts/token"]
+ verbs: ["create"]
---
# Source: rook-ceph/templates/cluster-rbac.yaml
# Allow the ceph mgr to access cluster-wide resources necessary for the mgr modules
@@ -11126,7 +11042,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -11147,7 +11063,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -11229,82 +11145,6 @@
name: rbd-external-provisioner-runner
apiGroup: rbac.authorization.k8s.io
---
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-ceph-system-psp
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-system
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-cephfs-provisioner-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-cephfs-provisioner-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-cephfs-plugin-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-cephfs-plugin-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-rbd-plugin-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-rbd-plugin-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-rbd-provisioner-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-rbd-provisioner-sa
- namespace: default # namespace:operator
----
# Source: rook-ceph/templates/cluster-rbac.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
@@ -11446,7 +11286,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -11528,102 +11368,6 @@
verbs: ["get", "watch", "list", "delete", "update", "create"]
---
# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-default-psp
- namespace: default # namespace:cluster
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: default
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-rgw-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-rgw
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-mgr-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-mgr
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-cmd-reporter-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-cmd-reporter
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-purge-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-purge-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
# Allow the operator to create resources in this cluster's namespace
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@@ -11745,7 +11489,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -11795,13 +11539,15 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
spec:
replicas: 1
selector:
matchLabels:
app: rook-ceph-operator
+ strategy:
+ type: Recreate
template:
metadata:
labels:
@@ -11809,7 +11555,7 @@
spec:
containers:
- name: rook-ceph-operator
- image: "rook/ceph:v1.9.4"
+ image: "rook/ceph:v1.9.11"
imagePullPolicy: IfNotPresent
args: ["ceph", "operator"]
securityContext:
@@ -11823,6 +11569,10 @@
name: default-config-dir
- mountPath: /etc/webhook
name: webhook-cert
+ ports:
+ - containerPort: 9443
+ name: https-webhook
+ protocol: TCP
env:
- name: ROOK_CURRENT_NAMESPACE_ONLY
value: "false" |
Path: @@ -1,85 +1,3 @@
-# Source: rook-ceph/templates/psp.yaml
-# We expect most Kubernetes teams to follow the Kubernetes docs and have these PSPs.
-# * privileged (for kube-system namespace)
-# * restricted (for all logged in users)
-#
-# PSPs are applied based on the first match alphabetically. `rook-ceph-operator` comes after
-# `restricted` alphabetically, so we name this `00-rook-privileged`, so it stays somewhere
-# close to the top and so `rook-system` gets the intended PSP. This may need to be renamed in
-# environments with other `00`-prefixed PSPs.
-#
-# More on PSP ordering: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#policy-order
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
- name: 00-rook-privileged
- annotations:
- seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
- seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
-spec:
- privileged: true
- allowedCapabilities:
- # required by CSI
- - SYS_ADMIN
- - MKNOD
- fsGroup:
- rule: RunAsAny
- # runAsUser, supplementalGroups - Rook needs to run some pods as root
- # Ceph pods could be run as the Ceph user, but that user isn't always known ahead of time
- runAsUser:
- rule: RunAsAny
- supplementalGroups:
- rule: RunAsAny
- # seLinux - seLinux context is unknown ahead of time; set if this is well-known
- seLinux:
- rule: RunAsAny
- volumes:
- # recommended minimum set
- - configMap
- - downwardAPI
- - emptyDir
- - persistentVolumeClaim
- - secret
- - projected
- # required for Rook
- - hostPath
- # allowedHostPaths can be set to Rook's known host volume mount points when they are fully-known
- # allowedHostPaths:
- # - pathPrefix: "/run/udev" # for OSD prep
- # readOnly: false
- # - pathPrefix: "/dev" # for OSD prep
- # readOnly: false
- # - pathPrefix: "/var/lib/rook" # or whatever the dataDirHostPath value is set to
- # readOnly: false
- # Ceph requires host IPC for setting up encrypted devices
- hostIPC: true
- # Ceph OSDs need to share the same PID namespace
- hostPID: true
- # hostNetwork can be set to 'false' if host networking isn't used
- hostNetwork: true
- hostPorts:
- # Ceph messenger protocol v1
- - min: 6789
- max: 6790 # <- support old default port
- # Ceph messenger protocol v2
- - min: 3300
- max: 3300
- # Ceph RADOS ports for OSDs, MDSes
- - min: 6800
- max: 7300
- # # Ceph dashboard port HTTP (not recommended)
- # - min: 7000
- # max: 7000
- # Ceph dashboard port HTTPS
- - min: 8443
- max: 8443
- # Ceph mgr Prometheus Metrics
- - min: 9283
- max: 9283
- # port for CSIAddons
- - min: 9070
- max: 9070
----
# Source: rook-ceph/templates/cluster-rbac.yaml
# Service account for Ceph OSDs
apiVersion: v1
@@ -91,7 +9,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -108,7 +26,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -125,7 +43,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -153,7 +71,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -170,7 +88,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -269,7 +187,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
# Most resources are represented by a string representation of their name, such as "pods", just as it appears in the URL for the relevant API endpoint.
@@ -296,7 +214,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -332,7 +250,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -525,7 +443,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -586,7 +504,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups: [""]
@@ -734,7 +652,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups: [""]
@@ -758,6 +676,9 @@
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
+ - apiGroups: [""]
+ resources: ["serviceaccounts/token"]
+ verbs: ["create"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -825,27 +746,9 @@
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: 'psp:rook'
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
- app.kubernetes.io/created-by: helm
-rules:
- - apiGroups:
- - policy
- resources:
- - podsecuritypolicies
- resourceNames:
- - 00-rook-privileged
- verbs:
- - use
+ - apiGroups: [""]
+ resources: ["serviceaccounts/token"]
+ verbs: ["create"]
---
# Source: rook-ceph/templates/cluster-rbac.yaml
# Allow the ceph mgr to access cluster-wide resources necessary for the mgr modules
@@ -886,7 +789,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -907,7 +810,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -989,82 +892,6 @@
name: rbd-external-provisioner-runner
apiGroup: rbac.authorization.k8s.io
---
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-ceph-system-psp
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-system
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-cephfs-provisioner-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-cephfs-provisioner-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-cephfs-plugin-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-cephfs-plugin-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-rbd-plugin-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-rbd-plugin-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-rbd-provisioner-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-rbd-provisioner-sa
- namespace: default # namespace:operator
----
# Source: rook-ceph/templates/cluster-rbac.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
@@ -1206,7 +1033,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -1288,102 +1115,6 @@
verbs: ["get", "watch", "list", "delete", "update", "create"]
---
# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-default-psp
- namespace: default # namespace:cluster
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: default
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-rgw-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-rgw
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-mgr-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-mgr
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-cmd-reporter-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-cmd-reporter
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-purge-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-purge-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
# Allow the operator to create resources in this cluster's namespace
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@@ -1505,7 +1236,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -1555,13 +1286,15 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
spec:
replicas: 1
selector:
matchLabels:
app: rook-ceph-operator
+ strategy:
+ type: Recreate
template:
metadata:
labels:
@@ -1569,7 +1302,7 @@
spec:
containers:
- name: rook-ceph-operator
- image: "rook/ceph:v1.9.4"
+ image: "rook/ceph:v1.9.11"
imagePullPolicy: IfNotPresent
args: ["ceph", "operator"]
securityContext:
@@ -1583,6 +1316,10 @@
name: default-config-dir
- mountPath: /etc/webhook
name: webhook-cert
+ ports:
+ - containerPort: 9443
+ name: https-webhook
+ protocol: TCP
env:
- name: ROOK_CURRENT_NAMESPACE_ONLY
value: "false" |
7ebd4a4
to
19f0a08
Compare
Path: @@ -1,85 +1,3 @@
-# Source: rook-ceph/templates/psp.yaml
-# We expect most Kubernetes teams to follow the Kubernetes docs and have these PSPs.
-# * privileged (for kube-system namespace)
-# * restricted (for all logged in users)
-#
-# PSPs are applied based on the first match alphabetically. `rook-ceph-operator` comes after
-# `restricted` alphabetically, so we name this `00-rook-privileged`, so it stays somewhere
-# close to the top and so `rook-system` gets the intended PSP. This may need to be renamed in
-# environments with other `00`-prefixed PSPs.
-#
-# More on PSP ordering: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#policy-order
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
- name: 00-rook-privileged
- annotations:
- seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
- seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
-spec:
- privileged: true
- allowedCapabilities:
- # required by CSI
- - SYS_ADMIN
- - MKNOD
- fsGroup:
- rule: RunAsAny
- # runAsUser, supplementalGroups - Rook needs to run some pods as root
- # Ceph pods could be run as the Ceph user, but that user isn't always known ahead of time
- runAsUser:
- rule: RunAsAny
- supplementalGroups:
- rule: RunAsAny
- # seLinux - seLinux context is unknown ahead of time; set if this is well-known
- seLinux:
- rule: RunAsAny
- volumes:
- # recommended minimum set
- - configMap
- - downwardAPI
- - emptyDir
- - persistentVolumeClaim
- - secret
- - projected
- # required for Rook
- - hostPath
- # allowedHostPaths can be set to Rook's known host volume mount points when they are fully-known
- # allowedHostPaths:
- # - pathPrefix: "/run/udev" # for OSD prep
- # readOnly: false
- # - pathPrefix: "/dev" # for OSD prep
- # readOnly: false
- # - pathPrefix: "/var/lib/rook" # or whatever the dataDirHostPath value is set to
- # readOnly: false
- # Ceph requires host IPC for setting up encrypted devices
- hostIPC: true
- # Ceph OSDs need to share the same PID namespace
- hostPID: true
- # hostNetwork can be set to 'false' if host networking isn't used
- hostNetwork: true
- hostPorts:
- # Ceph messenger protocol v1
- - min: 6789
- max: 6790 # <- support old default port
- # Ceph messenger protocol v2
- - min: 3300
- max: 3300
- # Ceph RADOS ports for OSDs, MDSes
- - min: 6800
- max: 7300
- # # Ceph dashboard port HTTP (not recommended)
- # - min: 7000
- # max: 7000
- # Ceph dashboard port HTTPS
- - min: 8443
- max: 8443
- # Ceph mgr Prometheus Metrics
- - min: 9283
- max: 9283
- # port for CSIAddons
- - min: 9070
- max: 9070
----
# Source: rook-ceph/templates/cluster-rbac.yaml
# Service account for Ceph OSDs
apiVersion: v1
@@ -91,7 +9,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -108,7 +26,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -125,7 +43,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -153,7 +71,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -170,7 +88,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -1565,8 +1483,16 @@
enabled:
description: Enabled represents whether the log collector is enabled
type: boolean
+ maxLogSize:
+ anyOf:
+ - type: integer
+ - type: string
+ description: MaxLogSize is the maximum size of the log per ceph daemons. Must be at least 1M.
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
periodicity:
- description: Periodicity is the periodicity of the log rotation
+ description: Periodicity is the periodicity of the log rotation.
+ pattern: ^$|^(hourly|daily|weekly|monthly|1h|24h|1d)$
type: string
type: object
mgr:
@@ -7897,6 +7823,11 @@
type: object
nullable: true
type: array
+ hostNetwork:
+ description: Whether host networking is enabled for the rgw daemon. If not set, the network settings from the cluster CR will be applied.
+ nullable: true
+ type: boolean
+ x-kubernetes-preserve-unknown-fields: true
instances:
description: The number of pods in the rgw replicaset.
format: int32
@@ -10509,7 +10440,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
# Most resources are represented by a string representation of their name, such as "pods", just as it appears in the URL for the relevant API endpoint.
@@ -10536,7 +10467,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -10572,7 +10503,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -10765,7 +10696,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -10826,7 +10757,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups: [""]
@@ -10974,7 +10905,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups: [""]
@@ -10998,6 +10929,9 @@
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
+ - apiGroups: [""]
+ resources: ["serviceaccounts/token"]
+ verbs: ["create"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -11065,27 +10999,9 @@
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: 'psp:rook'
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
- app.kubernetes.io/created-by: helm
-rules:
- - apiGroups:
- - policy
- resources:
- - podsecuritypolicies
- resourceNames:
- - 00-rook-privileged
- verbs:
- - use
+ - apiGroups: [""]
+ resources: ["serviceaccounts/token"]
+ verbs: ["create"]
---
# Source: rook-ceph/templates/cluster-rbac.yaml
# Allow the ceph mgr to access cluster-wide resources necessary for the mgr modules
@@ -11126,7 +11042,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -11147,7 +11063,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -11229,82 +11145,6 @@
name: rbd-external-provisioner-runner
apiGroup: rbac.authorization.k8s.io
---
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-ceph-system-psp
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-system
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-cephfs-provisioner-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-cephfs-provisioner-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-cephfs-plugin-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-cephfs-plugin-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-rbd-plugin-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-rbd-plugin-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-rbd-provisioner-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-rbd-provisioner-sa
- namespace: default # namespace:operator
----
# Source: rook-ceph/templates/cluster-rbac.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
@@ -11446,7 +11286,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -11528,102 +11368,6 @@
verbs: ["get", "watch", "list", "delete", "update", "create"]
---
# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-default-psp
- namespace: default # namespace:cluster
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: default
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-rgw-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-rgw
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-mgr-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-mgr
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-cmd-reporter-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-cmd-reporter
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-purge-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-purge-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
# Allow the operator to create resources in this cluster's namespace
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@@ -11745,7 +11489,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -11795,13 +11539,15 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
spec:
replicas: 1
selector:
matchLabels:
app: rook-ceph-operator
+ strategy:
+ type: Recreate
template:
metadata:
labels:
@@ -11809,7 +11555,7 @@
spec:
containers:
- name: rook-ceph-operator
- image: "rook/ceph:v1.9.4"
+ image: "rook/ceph:v1.9.12"
imagePullPolicy: IfNotPresent
args: ["ceph", "operator"]
securityContext:
@@ -11823,6 +11569,10 @@
name: default-config-dir
- mountPath: /etc/webhook
name: webhook-cert
+ ports:
+ - containerPort: 9443
+ name: https-webhook
+ protocol: TCP
env:
- name: ROOK_CURRENT_NAMESPACE_ONLY
value: "false" |
Path: @@ -9,7 +9,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -26,7 +26,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -43,7 +43,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -71,7 +71,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -310,102 +310,6 @@
- update
---
# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-default-psp
- namespace: default # namespace:cluster
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: default
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-rgw-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-rgw
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-mgr-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-mgr
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-cmd-reporter-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-cmd-reporter
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-purge-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-purge-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
# Allow the operator to create resources in this cluster's namespace
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@@ -598,7 +502,7 @@
enabled: true
cephVersion:
allowUnsupported: false
- image: quay.io/ceph/ceph:v16.2.9
+ image: quay.io/ceph/ceph:v16.2.10
cleanupPolicy:
allowUninstallWithVolumes: false
confirmation: ""
@@ -717,9 +621,6 @@
cpu: 1000m
memory: 4Gi
prepareosd:
- limits:
- cpu: 500m
- memory: 200Mi
requests:
cpu: 500m
memory: 50Mi |
Path: @@ -1,85 +1,3 @@
-# Source: rook-ceph/templates/psp.yaml
-# We expect most Kubernetes teams to follow the Kubernetes docs and have these PSPs.
-# * privileged (for kube-system namespace)
-# * restricted (for all logged in users)
-#
-# PSPs are applied based on the first match alphabetically. `rook-ceph-operator` comes after
-# `restricted` alphabetically, so we name this `00-rook-privileged`, so it stays somewhere
-# close to the top and so `rook-system` gets the intended PSP. This may need to be renamed in
-# environments with other `00`-prefixed PSPs.
-#
-# More on PSP ordering: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#policy-order
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
- name: 00-rook-privileged
- annotations:
- seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
- seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
-spec:
- privileged: true
- allowedCapabilities:
- # required by CSI
- - SYS_ADMIN
- - MKNOD
- fsGroup:
- rule: RunAsAny
- # runAsUser, supplementalGroups - Rook needs to run some pods as root
- # Ceph pods could be run as the Ceph user, but that user isn't always known ahead of time
- runAsUser:
- rule: RunAsAny
- supplementalGroups:
- rule: RunAsAny
- # seLinux - seLinux context is unknown ahead of time; set if this is well-known
- seLinux:
- rule: RunAsAny
- volumes:
- # recommended minimum set
- - configMap
- - downwardAPI
- - emptyDir
- - persistentVolumeClaim
- - secret
- - projected
- # required for Rook
- - hostPath
- # allowedHostPaths can be set to Rook's known host volume mount points when they are fully-known
- # allowedHostPaths:
- # - pathPrefix: "/run/udev" # for OSD prep
- # readOnly: false
- # - pathPrefix: "/dev" # for OSD prep
- # readOnly: false
- # - pathPrefix: "/var/lib/rook" # or whatever the dataDirHostPath value is set to
- # readOnly: false
- # Ceph requires host IPC for setting up encrypted devices
- hostIPC: true
- # Ceph OSDs need to share the same PID namespace
- hostPID: true
- # hostNetwork can be set to 'false' if host networking isn't used
- hostNetwork: true
- hostPorts:
- # Ceph messenger protocol v1
- - min: 6789
- max: 6790 # <- support old default port
- # Ceph messenger protocol v2
- - min: 3300
- max: 3300
- # Ceph RADOS ports for OSDs, MDSes
- - min: 6800
- max: 7300
- # # Ceph dashboard port HTTP (not recommended)
- # - min: 7000
- # max: 7000
- # Ceph dashboard port HTTPS
- - min: 8443
- max: 8443
- # Ceph mgr Prometheus Metrics
- - min: 9283
- max: 9283
- # port for CSIAddons
- - min: 9070
- max: 9070
----
# Source: rook-ceph/templates/cluster-rbac.yaml
# Service account for Ceph OSDs
apiVersion: v1
@@ -91,7 +9,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -108,7 +26,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -125,7 +43,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -153,7 +71,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -170,7 +88,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -269,7 +187,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
# Most resources are represented by a string representation of their name, such as "pods", just as it appears in the URL for the relevant API endpoint.
@@ -296,7 +214,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -332,7 +250,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -525,7 +443,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -586,7 +504,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups: [""]
@@ -734,7 +652,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups: [""]
@@ -758,6 +676,9 @@
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
+ - apiGroups: [""]
+ resources: ["serviceaccounts/token"]
+ verbs: ["create"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -825,27 +746,9 @@
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: 'psp:rook'
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
- app.kubernetes.io/created-by: helm
-rules:
- - apiGroups:
- - policy
- resources:
- - podsecuritypolicies
- resourceNames:
- - 00-rook-privileged
- verbs:
- - use
+ - apiGroups: [""]
+ resources: ["serviceaccounts/token"]
+ verbs: ["create"]
---
# Source: rook-ceph/templates/cluster-rbac.yaml
# Allow the ceph mgr to access cluster-wide resources necessary for the mgr modules
@@ -886,7 +789,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -907,7 +810,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -989,82 +892,6 @@
name: rbd-external-provisioner-runner
apiGroup: rbac.authorization.k8s.io
---
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-ceph-system-psp
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-system
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-cephfs-provisioner-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-cephfs-provisioner-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-cephfs-plugin-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-cephfs-plugin-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-rbd-plugin-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-rbd-plugin-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-rbd-provisioner-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-rbd-provisioner-sa
- namespace: default # namespace:operator
----
# Source: rook-ceph/templates/cluster-rbac.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
@@ -1206,7 +1033,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -1288,102 +1115,6 @@
verbs: ["get", "watch", "list", "delete", "update", "create"]
---
# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-default-psp
- namespace: default # namespace:cluster
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: default
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-rgw-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-rgw
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-mgr-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-mgr
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-cmd-reporter-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-cmd-reporter
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-purge-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-purge-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
# Allow the operator to create resources in this cluster's namespace
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@@ -1505,7 +1236,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -1555,13 +1286,15 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
spec:
replicas: 1
selector:
matchLabels:
app: rook-ceph-operator
+ strategy:
+ type: Recreate
template:
metadata:
labels:
@@ -1569,7 +1302,7 @@
spec:
containers:
- name: rook-ceph-operator
- image: "rook/ceph:v1.9.4"
+ image: "rook/ceph:v1.9.12"
imagePullPolicy: IfNotPresent
args: ["ceph", "operator"]
securityContext:
@@ -1583,6 +1316,10 @@
name: default-config-dir
- mountPath: /etc/webhook
name: webhook-cert
+ ports:
+ - containerPort: 9443
+ name: https-webhook
+ protocol: TCP
env:
- name: ROOK_CURRENT_NAMESPACE_ONLY
value: "false" |
19f0a08
to
badc8b2
Compare
Path: @@ -1,85 +1,3 @@
-# Source: rook-ceph/templates/psp.yaml
-# We expect most Kubernetes teams to follow the Kubernetes docs and have these PSPs.
-# * privileged (for kube-system namespace)
-# * restricted (for all logged in users)
-#
-# PSPs are applied based on the first match alphabetically. `rook-ceph-operator` comes after
-# `restricted` alphabetically, so we name this `00-rook-privileged`, so it stays somewhere
-# close to the top and so `rook-system` gets the intended PSP. This may need to be renamed in
-# environments with other `00`-prefixed PSPs.
-#
-# More on PSP ordering: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#policy-order
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
- name: 00-rook-privileged
- annotations:
- seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
- seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
-spec:
- privileged: true
- allowedCapabilities:
- # required by CSI
- - SYS_ADMIN
- - MKNOD
- fsGroup:
- rule: RunAsAny
- # runAsUser, supplementalGroups - Rook needs to run some pods as root
- # Ceph pods could be run as the Ceph user, but that user isn't always known ahead of time
- runAsUser:
- rule: RunAsAny
- supplementalGroups:
- rule: RunAsAny
- # seLinux - seLinux context is unknown ahead of time; set if this is well-known
- seLinux:
- rule: RunAsAny
- volumes:
- # recommended minimum set
- - configMap
- - downwardAPI
- - emptyDir
- - persistentVolumeClaim
- - secret
- - projected
- # required for Rook
- - hostPath
- # allowedHostPaths can be set to Rook's known host volume mount points when they are fully-known
- # allowedHostPaths:
- # - pathPrefix: "/run/udev" # for OSD prep
- # readOnly: false
- # - pathPrefix: "/dev" # for OSD prep
- # readOnly: false
- # - pathPrefix: "/var/lib/rook" # or whatever the dataDirHostPath value is set to
- # readOnly: false
- # Ceph requires host IPC for setting up encrypted devices
- hostIPC: true
- # Ceph OSDs need to share the same PID namespace
- hostPID: true
- # hostNetwork can be set to 'false' if host networking isn't used
- hostNetwork: true
- hostPorts:
- # Ceph messenger protocol v1
- - min: 6789
- max: 6790 # <- support old default port
- # Ceph messenger protocol v2
- - min: 3300
- max: 3300
- # Ceph RADOS ports for OSDs, MDSes
- - min: 6800
- max: 7300
- # # Ceph dashboard port HTTP (not recommended)
- # - min: 7000
- # max: 7000
- # Ceph dashboard port HTTPS
- - min: 8443
- max: 8443
- # Ceph mgr Prometheus Metrics
- - min: 9283
- max: 9283
- # port for CSIAddons
- - min: 9070
- max: 9070
----
# Source: rook-ceph/templates/cluster-rbac.yaml
# Service account for Ceph OSDs
apiVersion: v1
@@ -91,7 +9,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -108,7 +26,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -125,7 +43,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -153,7 +71,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -170,7 +88,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -269,7 +187,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
# Most resources are represented by a string representation of their name, such as "pods", just as it appears in the URL for the relevant API endpoint.
@@ -296,7 +214,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -332,7 +250,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -525,7 +443,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -586,7 +504,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups: [""]
@@ -734,7 +652,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups: [""]
@@ -758,6 +676,9 @@
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
+ - apiGroups: [""]
+ resources: ["serviceaccounts/token"]
+ verbs: ["create"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -825,27 +746,9 @@
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: 'psp:rook'
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
- app.kubernetes.io/created-by: helm
-rules:
- - apiGroups:
- - policy
- resources:
- - podsecuritypolicies
- resourceNames:
- - 00-rook-privileged
- verbs:
- - use
+ - apiGroups: [""]
+ resources: ["serviceaccounts/token"]
+ verbs: ["create"]
---
# Source: rook-ceph/templates/cluster-rbac.yaml
# Allow the ceph mgr to access cluster-wide resources necessary for the mgr modules
@@ -886,7 +789,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -907,7 +810,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -989,82 +892,6 @@
name: rbd-external-provisioner-runner
apiGroup: rbac.authorization.k8s.io
---
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-ceph-system-psp
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-system
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-cephfs-provisioner-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-cephfs-provisioner-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-cephfs-plugin-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-cephfs-plugin-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-rbd-plugin-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-rbd-plugin-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-rbd-provisioner-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-rbd-provisioner-sa
- namespace: default # namespace:operator
----
# Source: rook-ceph/templates/cluster-rbac.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
@@ -1206,7 +1033,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -1288,102 +1115,6 @@
verbs: ["get", "watch", "list", "delete", "update", "create"]
---
# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-default-psp
- namespace: default # namespace:cluster
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: default
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-rgw-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-rgw
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-mgr-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-mgr
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-cmd-reporter-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-cmd-reporter
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-purge-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-purge-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
# Allow the operator to create resources in this cluster's namespace
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@@ -1505,7 +1236,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -1555,13 +1286,15 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
spec:
replicas: 1
selector:
matchLabels:
app: rook-ceph-operator
+ strategy:
+ type: Recreate
template:
metadata:
labels:
@@ -1569,7 +1302,7 @@
spec:
containers:
- name: rook-ceph-operator
- image: "rook/ceph:v1.9.4"
+ image: "rook/ceph:v1.9.12"
imagePullPolicy: IfNotPresent
args: ["ceph", "operator"]
securityContext:
@@ -1583,6 +1316,10 @@
name: default-config-dir
- mountPath: /etc/webhook
name: webhook-cert
+ ports:
+ - containerPort: 9443
+ name: https-webhook
+ protocol: TCP
env:
- name: ROOK_CURRENT_NAMESPACE_ONLY
value: "false" |
Path: @@ -9,7 +9,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -26,7 +26,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -43,7 +43,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -71,7 +71,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -310,102 +310,6 @@
- update
---
# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-default-psp
- namespace: default # namespace:cluster
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: default
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-rgw-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-rgw
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-mgr-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-mgr
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-cmd-reporter-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-cmd-reporter
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-purge-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-purge-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
# Allow the operator to create resources in this cluster's namespace
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@@ -598,7 +502,7 @@
enabled: true
cephVersion:
allowUnsupported: false
- image: quay.io/ceph/ceph:v16.2.9
+ image: quay.io/ceph/ceph:v16.2.10
cleanupPolicy:
allowUninstallWithVolumes: false
confirmation: ""
@@ -717,9 +621,6 @@
cpu: 1000m
memory: 4Gi
prepareosd:
- limits:
- cpu: 500m
- memory: 200Mi
requests:
cpu: 500m
memory: 50Mi |
Path: @@ -1,85 +1,3 @@
-# Source: rook-ceph/templates/psp.yaml
-# We expect most Kubernetes teams to follow the Kubernetes docs and have these PSPs.
-# * privileged (for kube-system namespace)
-# * restricted (for all logged in users)
-#
-# PSPs are applied based on the first match alphabetically. `rook-ceph-operator` comes after
-# `restricted` alphabetically, so we name this `00-rook-privileged`, so it stays somewhere
-# close to the top and so `rook-system` gets the intended PSP. This may need to be renamed in
-# environments with other `00`-prefixed PSPs.
-#
-# More on PSP ordering: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#policy-order
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
- name: 00-rook-privileged
- annotations:
- seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
- seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
-spec:
- privileged: true
- allowedCapabilities:
- # required by CSI
- - SYS_ADMIN
- - MKNOD
- fsGroup:
- rule: RunAsAny
- # runAsUser, supplementalGroups - Rook needs to run some pods as root
- # Ceph pods could be run as the Ceph user, but that user isn't always known ahead of time
- runAsUser:
- rule: RunAsAny
- supplementalGroups:
- rule: RunAsAny
- # seLinux - seLinux context is unknown ahead of time; set if this is well-known
- seLinux:
- rule: RunAsAny
- volumes:
- # recommended minimum set
- - configMap
- - downwardAPI
- - emptyDir
- - persistentVolumeClaim
- - secret
- - projected
- # required for Rook
- - hostPath
- # allowedHostPaths can be set to Rook's known host volume mount points when they are fully-known
- # allowedHostPaths:
- # - pathPrefix: "/run/udev" # for OSD prep
- # readOnly: false
- # - pathPrefix: "/dev" # for OSD prep
- # readOnly: false
- # - pathPrefix: "/var/lib/rook" # or whatever the dataDirHostPath value is set to
- # readOnly: false
- # Ceph requires host IPC for setting up encrypted devices
- hostIPC: true
- # Ceph OSDs need to share the same PID namespace
- hostPID: true
- # hostNetwork can be set to 'false' if host networking isn't used
- hostNetwork: true
- hostPorts:
- # Ceph messenger protocol v1
- - min: 6789
- max: 6790 # <- support old default port
- # Ceph messenger protocol v2
- - min: 3300
- max: 3300
- # Ceph RADOS ports for OSDs, MDSes
- - min: 6800
- max: 7300
- # # Ceph dashboard port HTTP (not recommended)
- # - min: 7000
- # max: 7000
- # Ceph dashboard port HTTPS
- - min: 8443
- max: 8443
- # Ceph mgr Prometheus Metrics
- - min: 9283
- max: 9283
- # port for CSIAddons
- - min: 9070
- max: 9070
----
# Source: rook-ceph/templates/cluster-rbac.yaml
# Service account for Ceph OSDs
apiVersion: v1
@@ -91,7 +9,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -108,7 +26,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -125,7 +43,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -153,7 +71,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -170,7 +88,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -1565,8 +1483,16 @@
enabled:
description: Enabled represents whether the log collector is enabled
type: boolean
+ maxLogSize:
+ anyOf:
+ - type: integer
+ - type: string
+ description: MaxLogSize is the maximum size of the log per ceph daemons. Must be at least 1M.
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
periodicity:
- description: Periodicity is the periodicity of the log rotation
+ description: Periodicity is the periodicity of the log rotation.
+ pattern: ^$|^(hourly|daily|weekly|monthly|1h|24h|1d)$
type: string
type: object
mgr:
@@ -7897,6 +7823,11 @@
type: object
nullable: true
type: array
+ hostNetwork:
+ description: Whether host networking is enabled for the rgw daemon. If not set, the network settings from the cluster CR will be applied.
+ nullable: true
+ type: boolean
+ x-kubernetes-preserve-unknown-fields: true
instances:
description: The number of pods in the rgw replicaset.
format: int32
@@ -10509,7 +10440,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
# Most resources are represented by a string representation of their name, such as "pods", just as it appears in the URL for the relevant API endpoint.
@@ -10536,7 +10467,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -10572,7 +10503,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -10765,7 +10696,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -10826,7 +10757,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups: [""]
@@ -10974,7 +10905,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups: [""]
@@ -10998,6 +10929,9 @@
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
+ - apiGroups: [""]
+ resources: ["serviceaccounts/token"]
+ verbs: ["create"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -11065,27 +10999,9 @@
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: 'psp:rook'
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
- app.kubernetes.io/created-by: helm
-rules:
- - apiGroups:
- - policy
- resources:
- - podsecuritypolicies
- resourceNames:
- - 00-rook-privileged
- verbs:
- - use
+ - apiGroups: [""]
+ resources: ["serviceaccounts/token"]
+ verbs: ["create"]
---
# Source: rook-ceph/templates/cluster-rbac.yaml
# Allow the ceph mgr to access cluster-wide resources necessary for the mgr modules
@@ -11126,7 +11042,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -11147,7 +11063,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -11229,82 +11145,6 @@
name: rbd-external-provisioner-runner
apiGroup: rbac.authorization.k8s.io
---
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-ceph-system-psp
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-system
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-cephfs-provisioner-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-cephfs-provisioner-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-cephfs-plugin-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-cephfs-plugin-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-rbd-plugin-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-rbd-plugin-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-rbd-provisioner-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-rbd-provisioner-sa
- namespace: default # namespace:operator
----
# Source: rook-ceph/templates/cluster-rbac.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
@@ -11446,7 +11286,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -11528,102 +11368,6 @@
verbs: ["get", "watch", "list", "delete", "update", "create"]
---
# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-default-psp
- namespace: default # namespace:cluster
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: default
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-rgw-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-rgw
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-mgr-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-mgr
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-cmd-reporter-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-cmd-reporter
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-purge-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-purge-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
# Allow the operator to create resources in this cluster's namespace
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@@ -11745,7 +11489,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -11795,13 +11539,15 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
spec:
replicas: 1
selector:
matchLabels:
app: rook-ceph-operator
+ strategy:
+ type: Recreate
template:
metadata:
labels:
@@ -11809,7 +11555,7 @@
spec:
containers:
- name: rook-ceph-operator
- image: "rook/ceph:v1.9.4"
+ image: "rook/ceph:v1.9.12"
imagePullPolicy: IfNotPresent
args: ["ceph", "operator"]
securityContext:
@@ -11823,6 +11569,10 @@
name: default-config-dir
- mountPath: /etc/webhook
name: webhook-cert
+ ports:
+ - containerPort: 9443
+ name: https-webhook
+ protocol: TCP
env:
- name: ROOK_CURRENT_NAMESPACE_ONLY
value: "false" |
badc8b2
to
089ec9b
Compare
Path: @@ -9,7 +9,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -26,7 +26,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -43,7 +43,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -71,7 +71,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -310,102 +310,6 @@
- update
---
# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-default-psp
- namespace: default # namespace:cluster
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: default
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-rgw-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-rgw
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-mgr-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-mgr
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-cmd-reporter-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-cmd-reporter
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-purge-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-purge-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
# Allow the operator to create resources in this cluster's namespace
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@@ -598,7 +502,7 @@
enabled: true
cephVersion:
allowUnsupported: false
- image: quay.io/ceph/ceph:v16.2.9
+ image: quay.io/ceph/ceph:v16.2.10
cleanupPolicy:
allowUninstallWithVolumes: false
confirmation: ""
@@ -717,9 +621,6 @@
cpu: 1000m
memory: 4Gi
prepareosd:
- limits:
- cpu: 500m
- memory: 200Mi
requests:
cpu: 500m
memory: 50Mi |
Path: @@ -1,85 +1,3 @@
-# Source: rook-ceph/templates/psp.yaml
-# We expect most Kubernetes teams to follow the Kubernetes docs and have these PSPs.
-# * privileged (for kube-system namespace)
-# * restricted (for all logged in users)
-#
-# PSPs are applied based on the first match alphabetically. `rook-ceph-operator` comes after
-# `restricted` alphabetically, so we name this `00-rook-privileged`, so it stays somewhere
-# close to the top and so `rook-system` gets the intended PSP. This may need to be renamed in
-# environments with other `00`-prefixed PSPs.
-#
-# More on PSP ordering: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#policy-order
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
- name: 00-rook-privileged
- annotations:
- seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
- seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
-spec:
- privileged: true
- allowedCapabilities:
- # required by CSI
- - SYS_ADMIN
- - MKNOD
- fsGroup:
- rule: RunAsAny
- # runAsUser, supplementalGroups - Rook needs to run some pods as root
- # Ceph pods could be run as the Ceph user, but that user isn't always known ahead of time
- runAsUser:
- rule: RunAsAny
- supplementalGroups:
- rule: RunAsAny
- # seLinux - seLinux context is unknown ahead of time; set if this is well-known
- seLinux:
- rule: RunAsAny
- volumes:
- # recommended minimum set
- - configMap
- - downwardAPI
- - emptyDir
- - persistentVolumeClaim
- - secret
- - projected
- # required for Rook
- - hostPath
- # allowedHostPaths can be set to Rook's known host volume mount points when they are fully-known
- # allowedHostPaths:
- # - pathPrefix: "/run/udev" # for OSD prep
- # readOnly: false
- # - pathPrefix: "/dev" # for OSD prep
- # readOnly: false
- # - pathPrefix: "/var/lib/rook" # or whatever the dataDirHostPath value is set to
- # readOnly: false
- # Ceph requires host IPC for setting up encrypted devices
- hostIPC: true
- # Ceph OSDs need to share the same PID namespace
- hostPID: true
- # hostNetwork can be set to 'false' if host networking isn't used
- hostNetwork: true
- hostPorts:
- # Ceph messenger protocol v1
- - min: 6789
- max: 6790 # <- support old default port
- # Ceph messenger protocol v2
- - min: 3300
- max: 3300
- # Ceph RADOS ports for OSDs, MDSes
- - min: 6800
- max: 7300
- # # Ceph dashboard port HTTP (not recommended)
- # - min: 7000
- # max: 7000
- # Ceph dashboard port HTTPS
- - min: 8443
- max: 8443
- # Ceph mgr Prometheus Metrics
- - min: 9283
- max: 9283
- # port for CSIAddons
- - min: 9070
- max: 9070
----
# Source: rook-ceph/templates/cluster-rbac.yaml
# Service account for Ceph OSDs
apiVersion: v1
@@ -91,7 +9,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -108,7 +26,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -125,7 +43,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -153,7 +71,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -170,7 +88,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -1565,8 +1483,16 @@
enabled:
description: Enabled represents whether the log collector is enabled
type: boolean
+ maxLogSize:
+ anyOf:
+ - type: integer
+ - type: string
+ description: MaxLogSize is the maximum size of the log per ceph daemons. Must be at least 1M.
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
periodicity:
- description: Periodicity is the periodicity of the log rotation
+ description: Periodicity is the periodicity of the log rotation.
+ pattern: ^$|^(hourly|daily|weekly|monthly|1h|24h|1d)$
type: string
type: object
mgr:
@@ -7897,6 +7823,11 @@
type: object
nullable: true
type: array
+ hostNetwork:
+ description: Whether host networking is enabled for the rgw daemon. If not set, the network settings from the cluster CR will be applied.
+ nullable: true
+ type: boolean
+ x-kubernetes-preserve-unknown-fields: true
instances:
description: The number of pods in the rgw replicaset.
format: int32
@@ -10509,7 +10440,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
# Most resources are represented by a string representation of their name, such as "pods", just as it appears in the URL for the relevant API endpoint.
@@ -10536,7 +10467,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -10572,7 +10503,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -10765,7 +10696,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -10826,7 +10757,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups: [""]
@@ -10974,7 +10905,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups: [""]
@@ -10998,6 +10929,9 @@
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
+ - apiGroups: [""]
+ resources: ["serviceaccounts/token"]
+ verbs: ["create"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -11065,27 +10999,9 @@
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: 'psp:rook'
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
- app.kubernetes.io/created-by: helm
-rules:
- - apiGroups:
- - policy
- resources:
- - podsecuritypolicies
- resourceNames:
- - 00-rook-privileged
- verbs:
- - use
+ - apiGroups: [""]
+ resources: ["serviceaccounts/token"]
+ verbs: ["create"]
---
# Source: rook-ceph/templates/cluster-rbac.yaml
# Allow the ceph mgr to access cluster-wide resources necessary for the mgr modules
@@ -11126,7 +11042,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -11147,7 +11063,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -11229,82 +11145,6 @@
name: rbd-external-provisioner-runner
apiGroup: rbac.authorization.k8s.io
---
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-ceph-system-psp
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-system
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-cephfs-provisioner-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-cephfs-provisioner-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-cephfs-plugin-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-cephfs-plugin-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-rbd-plugin-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-rbd-plugin-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-rbd-provisioner-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-rbd-provisioner-sa
- namespace: default # namespace:operator
----
# Source: rook-ceph/templates/cluster-rbac.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
@@ -11446,7 +11286,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -11528,102 +11368,6 @@
verbs: ["get", "watch", "list", "delete", "update", "create"]
---
# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-default-psp
- namespace: default # namespace:cluster
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: default
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-rgw-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-rgw
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-mgr-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-mgr
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-cmd-reporter-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-cmd-reporter
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-purge-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-purge-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
# Allow the operator to create resources in this cluster's namespace
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@@ -11745,7 +11489,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -11795,13 +11539,15 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
spec:
replicas: 1
selector:
matchLabels:
app: rook-ceph-operator
+ strategy:
+ type: Recreate
template:
metadata:
labels:
@@ -11809,7 +11555,7 @@
spec:
containers:
- name: rook-ceph-operator
- image: "rook/ceph:v1.9.4"
+ image: "rook/ceph:v1.9.12"
imagePullPolicy: IfNotPresent
args: ["ceph", "operator"]
securityContext:
@@ -11823,6 +11569,10 @@
name: default-config-dir
- mountPath: /etc/webhook
name: webhook-cert
+ ports:
+ - containerPort: 9443
+ name: https-webhook
+ protocol: TCP
env:
- name: ROOK_CURRENT_NAMESPACE_ONLY
value: "false" |
Path: @@ -1,85 +1,3 @@
-# Source: rook-ceph/templates/psp.yaml
-# We expect most Kubernetes teams to follow the Kubernetes docs and have these PSPs.
-# * privileged (for kube-system namespace)
-# * restricted (for all logged in users)
-#
-# PSPs are applied based on the first match alphabetically. `rook-ceph-operator` comes after
-# `restricted` alphabetically, so we name this `00-rook-privileged`, so it stays somewhere
-# close to the top and so `rook-system` gets the intended PSP. This may need to be renamed in
-# environments with other `00`-prefixed PSPs.
-#
-# More on PSP ordering: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#policy-order
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
- name: 00-rook-privileged
- annotations:
- seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
- seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
-spec:
- privileged: true
- allowedCapabilities:
- # required by CSI
- - SYS_ADMIN
- - MKNOD
- fsGroup:
- rule: RunAsAny
- # runAsUser, supplementalGroups - Rook needs to run some pods as root
- # Ceph pods could be run as the Ceph user, but that user isn't always known ahead of time
- runAsUser:
- rule: RunAsAny
- supplementalGroups:
- rule: RunAsAny
- # seLinux - seLinux context is unknown ahead of time; set if this is well-known
- seLinux:
- rule: RunAsAny
- volumes:
- # recommended minimum set
- - configMap
- - downwardAPI
- - emptyDir
- - persistentVolumeClaim
- - secret
- - projected
- # required for Rook
- - hostPath
- # allowedHostPaths can be set to Rook's known host volume mount points when they are fully-known
- # allowedHostPaths:
- # - pathPrefix: "/run/udev" # for OSD prep
- # readOnly: false
- # - pathPrefix: "/dev" # for OSD prep
- # readOnly: false
- # - pathPrefix: "/var/lib/rook" # or whatever the dataDirHostPath value is set to
- # readOnly: false
- # Ceph requires host IPC for setting up encrypted devices
- hostIPC: true
- # Ceph OSDs need to share the same PID namespace
- hostPID: true
- # hostNetwork can be set to 'false' if host networking isn't used
- hostNetwork: true
- hostPorts:
- # Ceph messenger protocol v1
- - min: 6789
- max: 6790 # <- support old default port
- # Ceph messenger protocol v2
- - min: 3300
- max: 3300
- # Ceph RADOS ports for OSDs, MDSes
- - min: 6800
- max: 7300
- # # Ceph dashboard port HTTP (not recommended)
- # - min: 7000
- # max: 7000
- # Ceph dashboard port HTTPS
- - min: 8443
- max: 8443
- # Ceph mgr Prometheus Metrics
- - min: 9283
- max: 9283
- # port for CSIAddons
- - min: 9070
- max: 9070
----
# Source: rook-ceph/templates/cluster-rbac.yaml
# Service account for Ceph OSDs
apiVersion: v1
@@ -91,7 +9,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -108,7 +26,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -125,7 +43,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -153,7 +71,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -170,7 +88,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -269,7 +187,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
# Most resources are represented by a string representation of their name, such as "pods", just as it appears in the URL for the relevant API endpoint.
@@ -296,7 +214,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -332,7 +250,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -525,7 +443,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -586,7 +504,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups: [""]
@@ -734,7 +652,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups: [""]
@@ -758,6 +676,9 @@
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
+ - apiGroups: [""]
+ resources: ["serviceaccounts/token"]
+ verbs: ["create"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -825,27 +746,9 @@
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: 'psp:rook'
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
- app.kubernetes.io/created-by: helm
-rules:
- - apiGroups:
- - policy
- resources:
- - podsecuritypolicies
- resourceNames:
- - 00-rook-privileged
- verbs:
- - use
+ - apiGroups: [""]
+ resources: ["serviceaccounts/token"]
+ verbs: ["create"]
---
# Source: rook-ceph/templates/cluster-rbac.yaml
# Allow the ceph mgr to access cluster-wide resources necessary for the mgr modules
@@ -886,7 +789,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -907,7 +810,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -989,82 +892,6 @@
name: rbd-external-provisioner-runner
apiGroup: rbac.authorization.k8s.io
---
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-ceph-system-psp
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-system
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-cephfs-provisioner-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-cephfs-provisioner-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-cephfs-plugin-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-cephfs-plugin-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-rbd-plugin-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-rbd-plugin-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-rbd-provisioner-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-rbd-provisioner-sa
- namespace: default # namespace:operator
----
# Source: rook-ceph/templates/cluster-rbac.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
@@ -1206,7 +1033,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -1288,102 +1115,6 @@
verbs: ["get", "watch", "list", "delete", "update", "create"]
---
# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-default-psp
- namespace: default # namespace:cluster
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: default
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-rgw-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-rgw
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-mgr-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-mgr
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-cmd-reporter-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-cmd-reporter
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-purge-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-purge-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
# Allow the operator to create resources in this cluster's namespace
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@@ -1505,7 +1236,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -1555,13 +1286,15 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
spec:
replicas: 1
selector:
matchLabels:
app: rook-ceph-operator
+ strategy:
+ type: Recreate
template:
metadata:
labels:
@@ -1569,7 +1302,7 @@
spec:
containers:
- name: rook-ceph-operator
- image: "rook/ceph:v1.9.4"
+ image: "rook/ceph:v1.9.12"
imagePullPolicy: IfNotPresent
args: ["ceph", "operator"]
securityContext:
@@ -1583,6 +1316,10 @@
name: default-config-dir
- mountPath: /etc/webhook
name: webhook-cert
+ ports:
+ - containerPort: 9443
+ name: https-webhook
+ protocol: TCP
env:
- name: ROOK_CURRENT_NAMESPACE_ONLY
value: "false" |
Signed-off-by: Danny Froberg <dfroberg@users.noreply.github.com>
089ec9b
to
de8e923
Compare
Path: @@ -9,7 +9,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -26,7 +26,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -43,7 +43,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -71,7 +71,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -310,102 +310,6 @@
- update
---
# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-default-psp
- namespace: default # namespace:cluster
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: default
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-rgw-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-rgw
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-mgr-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-mgr
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-cmd-reporter-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-cmd-reporter
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-purge-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-purge-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph-cluster/templates/rbac.yaml
# Allow the operator to create resources in this cluster's namespace
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@@ -598,7 +502,7 @@
enabled: true
cephVersion:
allowUnsupported: false
- image: quay.io/ceph/ceph:v16.2.9
+ image: quay.io/ceph/ceph:v16.2.10
cleanupPolicy:
allowUninstallWithVolumes: false
confirmation: ""
@@ -717,9 +621,6 @@
cpu: 1000m
memory: 4Gi
prepareosd:
- limits:
- cpu: 500m
- memory: 200Mi
requests:
cpu: 500m
memory: 50Mi |
Path: @@ -1,85 +1,3 @@
-# Source: rook-ceph/templates/psp.yaml
-# We expect most Kubernetes teams to follow the Kubernetes docs and have these PSPs.
-# * privileged (for kube-system namespace)
-# * restricted (for all logged in users)
-#
-# PSPs are applied based on the first match alphabetically. `rook-ceph-operator` comes after
-# `restricted` alphabetically, so we name this `00-rook-privileged`, so it stays somewhere
-# close to the top and so `rook-system` gets the intended PSP. This may need to be renamed in
-# environments with other `00`-prefixed PSPs.
-#
-# More on PSP ordering: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#policy-order
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
- name: 00-rook-privileged
- annotations:
- seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
- seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
-spec:
- privileged: true
- allowedCapabilities:
- # required by CSI
- - SYS_ADMIN
- - MKNOD
- fsGroup:
- rule: RunAsAny
- # runAsUser, supplementalGroups - Rook needs to run some pods as root
- # Ceph pods could be run as the Ceph user, but that user isn't always known ahead of time
- runAsUser:
- rule: RunAsAny
- supplementalGroups:
- rule: RunAsAny
- # seLinux - seLinux context is unknown ahead of time; set if this is well-known
- seLinux:
- rule: RunAsAny
- volumes:
- # recommended minimum set
- - configMap
- - downwardAPI
- - emptyDir
- - persistentVolumeClaim
- - secret
- - projected
- # required for Rook
- - hostPath
- # allowedHostPaths can be set to Rook's known host volume mount points when they are fully-known
- # allowedHostPaths:
- # - pathPrefix: "/run/udev" # for OSD prep
- # readOnly: false
- # - pathPrefix: "/dev" # for OSD prep
- # readOnly: false
- # - pathPrefix: "/var/lib/rook" # or whatever the dataDirHostPath value is set to
- # readOnly: false
- # Ceph requires host IPC for setting up encrypted devices
- hostIPC: true
- # Ceph OSDs need to share the same PID namespace
- hostPID: true
- # hostNetwork can be set to 'false' if host networking isn't used
- hostNetwork: true
- hostPorts:
- # Ceph messenger protocol v1
- - min: 6789
- max: 6790 # <- support old default port
- # Ceph messenger protocol v2
- - min: 3300
- max: 3300
- # Ceph RADOS ports for OSDs, MDSes
- - min: 6800
- max: 7300
- # # Ceph dashboard port HTTP (not recommended)
- # - min: 7000
- # max: 7000
- # Ceph dashboard port HTTPS
- - min: 8443
- max: 8443
- # Ceph mgr Prometheus Metrics
- - min: 9283
- max: 9283
- # port for CSIAddons
- - min: 9070
- max: 9070
----
# Source: rook-ceph/templates/cluster-rbac.yaml
# Service account for Ceph OSDs
apiVersion: v1
@@ -91,7 +9,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -108,7 +26,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -125,7 +43,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -153,7 +71,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -170,7 +88,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -269,7 +187,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
# Most resources are represented by a string representation of their name, such as "pods", just as it appears in the URL for the relevant API endpoint.
@@ -296,7 +214,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -332,7 +250,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -525,7 +443,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -586,7 +504,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups: [""]
@@ -734,7 +652,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups: [""]
@@ -758,6 +676,9 @@
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
+ - apiGroups: [""]
+ resources: ["serviceaccounts/token"]
+ verbs: ["create"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -825,27 +746,9 @@
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: 'psp:rook'
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
- app.kubernetes.io/created-by: helm
-rules:
- - apiGroups:
- - policy
- resources:
- - podsecuritypolicies
- resourceNames:
- - 00-rook-privileged
- verbs:
- - use
+ - apiGroups: [""]
+ resources: ["serviceaccounts/token"]
+ verbs: ["create"]
---
# Source: rook-ceph/templates/cluster-rbac.yaml
# Allow the ceph mgr to access cluster-wide resources necessary for the mgr modules
@@ -886,7 +789,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -907,7 +810,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -989,82 +892,6 @@
name: rbd-external-provisioner-runner
apiGroup: rbac.authorization.k8s.io
---
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-ceph-system-psp
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-system
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-cephfs-provisioner-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-cephfs-provisioner-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-cephfs-plugin-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-cephfs-plugin-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-rbd-plugin-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-rbd-plugin-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-rbd-provisioner-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-rbd-provisioner-sa
- namespace: default # namespace:operator
----
# Source: rook-ceph/templates/cluster-rbac.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
@@ -1206,7 +1033,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -1288,102 +1115,6 @@
verbs: ["get", "watch", "list", "delete", "update", "create"]
---
# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-default-psp
- namespace: default # namespace:cluster
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: default
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-rgw-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-rgw
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-mgr-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-mgr
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-cmd-reporter-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-cmd-reporter
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-purge-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-purge-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
# Allow the operator to create resources in this cluster's namespace
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@@ -1505,7 +1236,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -1555,13 +1286,15 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
spec:
replicas: 1
selector:
matchLabels:
app: rook-ceph-operator
+ strategy:
+ type: Recreate
template:
metadata:
labels:
@@ -1569,7 +1302,7 @@
spec:
containers:
- name: rook-ceph-operator
- image: "rook/ceph:v1.9.4"
+ image: "rook/ceph:v1.9.12"
imagePullPolicy: IfNotPresent
args: ["ceph", "operator"]
securityContext:
@@ -1583,6 +1316,10 @@
name: default-config-dir
- mountPath: /etc/webhook
name: webhook-cert
+ ports:
+ - containerPort: 9443
+ name: https-webhook
+ protocol: TCP
env:
- name: ROOK_CURRENT_NAMESPACE_ONLY
value: "false" |
Path: @@ -1,85 +1,3 @@
-# Source: rook-ceph/templates/psp.yaml
-# We expect most Kubernetes teams to follow the Kubernetes docs and have these PSPs.
-# * privileged (for kube-system namespace)
-# * restricted (for all logged in users)
-#
-# PSPs are applied based on the first match alphabetically. `rook-ceph-operator` comes after
-# `restricted` alphabetically, so we name this `00-rook-privileged`, so it stays somewhere
-# close to the top and so `rook-system` gets the intended PSP. This may need to be renamed in
-# environments with other `00`-prefixed PSPs.
-#
-# More on PSP ordering: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#policy-order
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
- name: 00-rook-privileged
- annotations:
- seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
- seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
-spec:
- privileged: true
- allowedCapabilities:
- # required by CSI
- - SYS_ADMIN
- - MKNOD
- fsGroup:
- rule: RunAsAny
- # runAsUser, supplementalGroups - Rook needs to run some pods as root
- # Ceph pods could be run as the Ceph user, but that user isn't always known ahead of time
- runAsUser:
- rule: RunAsAny
- supplementalGroups:
- rule: RunAsAny
- # seLinux - seLinux context is unknown ahead of time; set if this is well-known
- seLinux:
- rule: RunAsAny
- volumes:
- # recommended minimum set
- - configMap
- - downwardAPI
- - emptyDir
- - persistentVolumeClaim
- - secret
- - projected
- # required for Rook
- - hostPath
- # allowedHostPaths can be set to Rook's known host volume mount points when they are fully-known
- # allowedHostPaths:
- # - pathPrefix: "/run/udev" # for OSD prep
- # readOnly: false
- # - pathPrefix: "/dev" # for OSD prep
- # readOnly: false
- # - pathPrefix: "/var/lib/rook" # or whatever the dataDirHostPath value is set to
- # readOnly: false
- # Ceph requires host IPC for setting up encrypted devices
- hostIPC: true
- # Ceph OSDs need to share the same PID namespace
- hostPID: true
- # hostNetwork can be set to 'false' if host networking isn't used
- hostNetwork: true
- hostPorts:
- # Ceph messenger protocol v1
- - min: 6789
- max: 6790 # <- support old default port
- # Ceph messenger protocol v2
- - min: 3300
- max: 3300
- # Ceph RADOS ports for OSDs, MDSes
- - min: 6800
- max: 7300
- # # Ceph dashboard port HTTP (not recommended)
- # - min: 7000
- # max: 7000
- # Ceph dashboard port HTTPS
- - min: 8443
- max: 8443
- # Ceph mgr Prometheus Metrics
- - min: 9283
- max: 9283
- # port for CSIAddons
- - min: 9070
- max: 9070
----
# Source: rook-ceph/templates/cluster-rbac.yaml
# Service account for Ceph OSDs
apiVersion: v1
@@ -91,7 +9,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -108,7 +26,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -125,7 +43,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -153,7 +71,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -170,7 +88,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
# imagePullSecrets:
@@ -1565,8 +1483,16 @@
enabled:
description: Enabled represents whether the log collector is enabled
type: boolean
+ maxLogSize:
+ anyOf:
+ - type: integer
+ - type: string
+ description: MaxLogSize is the maximum size of the log per ceph daemons. Must be at least 1M.
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
periodicity:
- description: Periodicity is the periodicity of the log rotation
+ description: Periodicity is the periodicity of the log rotation.
+ pattern: ^$|^(hourly|daily|weekly|monthly|1h|24h|1d)$
type: string
type: object
mgr:
@@ -7897,6 +7823,11 @@
type: object
nullable: true
type: array
+ hostNetwork:
+ description: Whether host networking is enabled for the rgw daemon. If not set, the network settings from the cluster CR will be applied.
+ nullable: true
+ type: boolean
+ x-kubernetes-preserve-unknown-fields: true
instances:
description: The number of pods in the rgw replicaset.
format: int32
@@ -10509,7 +10440,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
# Most resources are represented by a string representation of their name, such as "pods", just as it appears in the URL for the relevant API endpoint.
@@ -10536,7 +10467,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -10572,7 +10503,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -10765,7 +10696,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -10826,7 +10757,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups: [""]
@@ -10974,7 +10905,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups: [""]
@@ -10998,6 +10929,9 @@
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
+ - apiGroups: [""]
+ resources: ["serviceaccounts/token"]
+ verbs: ["create"]
---
# Source: rook-ceph/templates/clusterrole.yaml
kind: ClusterRole
@@ -11065,27 +10999,9 @@
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: 'psp:rook'
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
- app.kubernetes.io/created-by: helm
-rules:
- - apiGroups:
- - policy
- resources:
- - podsecuritypolicies
- resourceNames:
- - 00-rook-privileged
- verbs:
- - use
+ - apiGroups: [""]
+ resources: ["serviceaccounts/token"]
+ verbs: ["create"]
---
# Source: rook-ceph/templates/cluster-rbac.yaml
# Allow the ceph mgr to access cluster-wide resources necessary for the mgr modules
@@ -11126,7 +11042,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -11147,7 +11063,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -11229,82 +11145,6 @@
name: rbd-external-provisioner-runner
apiGroup: rbac.authorization.k8s.io
---
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-ceph-system-psp
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-system
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-cephfs-provisioner-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-cephfs-provisioner-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-cephfs-plugin-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-cephfs-plugin-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-rbd-plugin-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-rbd-plugin-sa
- namespace: default # namespace:operator
----
-# Source: rook-ceph/templates/psp.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: rook-csi-rbd-provisioner-sa-psp
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: 'psp:rook'
-subjects:
- - kind: ServiceAccount
- name: rook-csi-rbd-provisioner-sa
- namespace: default # namespace:operator
----
# Source: rook-ceph/templates/cluster-rbac.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
@@ -11446,7 +11286,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
rules:
- apiGroups:
@@ -11528,102 +11368,6 @@
verbs: ["get", "watch", "list", "delete", "update", "create"]
---
# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-default-psp
- namespace: default # namespace:cluster
- labels:
- operator: rook
- storage-backend: ceph
- app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
- app.kubernetes.io/created-by: helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: default
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-rgw-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-rgw
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-mgr-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-mgr
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-cmd-reporter-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-cmd-reporter
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: rook-ceph-purge-osd-psp
- namespace: default # namespace:cluster
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:rook
-subjects:
- - kind: ServiceAccount
- name: rook-ceph-purge-osd
- namespace: default # namespace:cluster
----
-# Source: rook-ceph/templates/cluster-rbac.yaml
# Allow the operator to create resources in this cluster's namespace
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@@ -11745,7 +11489,7 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -11795,13 +11539,15 @@
operator: rook
storage-backend: ceph
app.kubernetes.io/part-of: rook-ceph-operator
- app.kubernetes.io/managed-by: helm
+ app.kubernetes.io/managed-by: Helm
app.kubernetes.io/created-by: helm
spec:
replicas: 1
selector:
matchLabels:
app: rook-ceph-operator
+ strategy:
+ type: Recreate
template:
metadata:
labels:
@@ -11809,7 +11555,7 @@
spec:
containers:
- name: rook-ceph-operator
- image: "rook/ceph:v1.9.4"
+ image: "rook/ceph:v1.9.12"
imagePullPolicy: IfNotPresent
args: ["ceph", "operator"]
securityContext:
@@ -11823,6 +11569,10 @@
name: default-config-dir
- mountPath: /etc/webhook
name: webhook-cert
+ ports:
+ - containerPort: 9443
+ name: https-webhook
+ protocol: TCP
env:
- name: ROOK_CURRENT_NAMESPACE_ONLY
value: "false" |
This PR contains the following updates:
v1.9.4
->v1.9.12
v1.9.4
->v1.9.12
Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
rook/rook (rook-ceph)
v1.9.12
Compare Source
Improvements
Rook v1.9.12 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.
v1.9.11
Compare Source
Improvements
Rook v1.9.11 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.
v1.9.10
Compare Source
Improvements
Rook v1.9.10 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator. Support for K8s 1.25 is added.
v1.9.9
Compare Source
Improvements
Rook v1.9.9 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.
v1.9.8
Compare Source
Improvements
Rook v1.9.8 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.
app=rook-ceph-mgr
(#10577, @travisn)v1.9.7
Compare Source
Improvements
Rook v1.9.7 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.
Recreate
strategy for operator upgrade (#10547, @sp98)v1.9.6
Compare Source
Improvements
Rook v1.9.6 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.
v1.9.5
Compare Source
Improvements
Rook v1.9.5 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.
black
(#10422, @subhamkrai)Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.