For archival purposes, this is the correct yaml file: kind: SecurityContextConstraints apiVersion: v1 metadata: name: custom-scc allowPrivilegedContainer: true allowHostDirVolumePlugin: true allowHostIPC: false allowHostNetwork: true allowHostPID: true allowHostPorts: false allowPrivilegeEscalation: true allowedCapabilities: - KILL - NET_ADMIN - SYS_ADMIN - SYS_BOOT - SYS_TIME runAsUser: type: RunAsAny seLinuxContext: type: RunAsAny fsGroup: type: RunAsAny supplementalGroups: type: RunAsAny users: - system:serviceaccount:<project-name>:rbd-csi-provisioner - system:serviceaccount:<project-name>:rbd-csi-nodeplugin It might be too large in permissions, but at least it works and you can narrow it down from here :) changed were allowHostNetwork: true allowHostPID: true Kr, Nino From: Bosteels Nino <nino.bosteels@xxxxxxxxxxxxxxx> Date: Thursday, 22 April 2021 at 18:03 To: Ceph Users <ceph-users@xxxxxxx> Subject: Re: ceph-csi on openshift It does seem you can apply some rbac in openshift: https://docs.openshift.com/container-platform/4.6/authentication/managing-security-context-constraints.html For now I'm having no luck, though I ve used the serviceaccountname now in the custom security context constraint. On 22/04/2021, 12:57, "Marc" <Marc@xxxxxxxxxxxxxxxxx> wrote: I have been hacking this ceph-csi code to get it to work with mesos. The guys developing this csi ceph driver do not seem to grasp the concept of csi. That it should be a universal driver for OC platforms. They are totally focussing on making ceph work with kubernetes. Recently I noticed that the filesystem on rbd devices is mounted and then changed to o+w permissions, now every user on the host is able to do a dos on tasks with ceph mount storage by filling up the image. I think they also do not care that in some occasions your hosts root fs is mounted in your tasks container (because of no proper exception handling being done) So if you have problems with something other than kubernetes with this driver, I am not surprised. And if you use kubernetes with this driver. Better not have any other applications running without containers on your hosts, and do not allow any sysadmins to logon to these hosts ;) > -----Original Message----- > From: Bosteels Nino <nino.bosteels@xxxxxxxxxxxxxxx> > Sent: 22 April 2021 12:36 > To: Ceph Users <ceph-users@xxxxxxx> > Subject: ceph-csi on openshift > > Hi, > > I’m trying to get the ceph-csi working on openshift (I followed this > guide: https://docs.ceph.com/en/latest/rbd/rbd-kubernetes/). > > On openshift it seems you can’t run privileged containers per default > and can’t use HostPath etc. For these you need to create a security > context constraint (a custom one). > > I’d like to enable the next person that searches for this, so I > contacted red hat through our support plan, and they suggested: > > kind: SecurityContextConstraints > apiVersion: v1 > metadata: > name: custom-scc > allowPrivilegedContainer: true > allowHostDirVolumePlugin: true > allowHostIPC: false > allowHostNetwork: false > allowHostPID: false > allowHostPorts: false > allowPrivilegeEscalation: true > allowedCapabilities: > - KILL > - NET_ADMIN > - SYS_ADMIN > - SYS_BOOT > - SYS_TIME > runAsUser: > type: RunAsAny > seLinuxContext: > type: RunAsAny > fsGroup: > type: RunAsAny > supplementalGroups: > type: RunAsAny > users: > - <your-user-for-which-the-previleges-are-required> > > It didn’t work to create this after going through the guide, so I’ll run > through it again, but wanted to ask if anyone else has already done this > ánd also if someone could add it to the ceph wiki. > > Kr, > Nino > > > > > > *************************************************************** > Dit e-mail bericht inclusief eventuele ingesloten bestanden kan > informatie bevatten die vertrouwelijk is en/of beschermd door > intellectuele eigendomsrechten. Dit bericht is uitsluitend bestemd voor > de geadresseerde(n). Elk gebruik van de informatie vervat in dit bericht > (waaronder de volledige of gedeeltelijke reproductie of verspreiding > onder elke vorm) door andere personen dan de geadresseerde(n) is > verboden. Indien u dit bericht per vergissing heeft ontvangen, gelieve > de afzender hiervan te verwittigen en dit bericht te verwijderen. > > This e-mail and any attachment thereto may contain information which is > confidential and/or protected by intellectual property rights and are > intended for the sole use of the addressees. Any use of the information > contained herein (including but not limited to total or partial > reproduction or distribution in any form) by other persons than the > addressees is prohibited. If you have received this e-mail in error, > please notify the sender and delete its contents. > > Ce courriel et les annexes eventuelles peuvent contenir des informations > confidentielles et/ou protegees par des droits de propriete > intellectuelle. Ce message est adresse exclusivement e son (ses) > destinataire(s). Toute utilisation du contenu de ce message (y compris > la reproduction ou diffusion partielle ou complete sous toute forme) par > une autre personne que le(s) destinataire(s) est formellement interdite. > Si vous avez recu ce message par erreur, veuillez prevenir l expediteur > du message et en detruire le contenu. > > ***************************************************************e > _______________________________________________ > ceph-users mailing list -- ceph-users@xxxxxxx > To unsubscribe send an email to ceph-users-leave@xxxxxxx *************************************************************** Dit e-mail bericht inclusief eventuele ingesloten bestanden kan informatie bevatten die vertrouwelijk is en/of beschermd door intellectuele eigendomsrechten. Dit bericht is uitsluitend bestemd voor de geadresseerde(n). Elk gebruik van de informatie vervat in dit bericht (waaronder de volledige of gedeeltelijke reproductie of verspreiding onder elke vorm) door andere personen dan de geadresseerde(n) is verboden. Indien u dit bericht per vergissing heeft ontvangen, gelieve de afzender hiervan te verwittigen en dit bericht te verwijderen. This e-mail and any attachment thereto may contain information which is confidential and/or protected by intellectual property rights and are intended for the sole use of the addressees. Any use of the information contained herein (including but not limited to total or partial reproduction or distribution in any form) by other persons than the addressees is prohibited. If you have received this e-mail in error, please notify the sender and delete its contents. Ce courriel et les annexes eventuelles peuvent contenir des informations confidentielles et/ou protegees par des droits de propriete intellectuelle. Ce message est adresse exclusivement e son (ses) destinataire(s). Toute utilisation du contenu de ce message (y compris la reproduction ou diffusion partielle ou complete sous toute forme) par une autre personne que le(s) destinataire(s) est formellement interdite. Si vous avez recu ce message par erreur, veuillez prevenir l expediteur du message et en detruire le contenu. ***************************************************************e _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
 |