Skip to content

Commit

Permalink
avoid naming conflicts on rbac when deploying one operator per namespace
Browse files Browse the repository at this point in the history 
[Candidate for upstream]

When deploying multiple ceph clusters on single kubernetes cluster (for
multi-tenancy for example), we can opt for deploying one operator per
namespace thanks to currentNamespaceOnly helm variable. Unfortunately we
are facing conflicts on ClusterRole/ClusterRoleBinding when deploying
rook-ceph helm chart in distinct namespaces.

This commit adds namespace suffix to ClusterRole/ClusterRoleBinding when
deploying operator with currentNamespaceOnly=true
  • Loading branch information
@jlcCriteo
Peter Goron authored and jlcCriteo committed Mar 1, 2024
1 parent 0748e4f commit 58c9b59
Show file tree
Hide file tree
Showing 4 changed files with 40 additions and 30 deletions.
9 changes: 9 additions & 0 deletions deploy/charts/library/templates/_cluster-rolebinding.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,12 +66,21 @@ subjects:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
{{- $operatorWatchesCurrentNamespaceOnly := .Values.currentNamespaceOnly | default false -}}
{{- if $operatorWatchesCurrentNamespaceOnly }}
name: rook-ceph-mgr-system
{{- else }}
name: rook-ceph-mgr-system{{ template "library.suffix-cluster-namespace" . }}
{{- end }}
namespace: {{ .Values.operatorNamespace | default .Release.Namespace }} # namespace:operator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
{{- if $operatorWatchesCurrentNamespaceOnly }}
name: rook-ceph-mgr-system{{ template "library.suffix-cluster-namespace" . }}
{{- else }}
name: rook-ceph-mgr-system
{{- end }}
subjects:
- kind: ServiceAccount
name: rook-ceph-mgr
Expand Down
3 changes: 2 additions & 1 deletion deploy/charts/library/templates/_suffix-cluster-namespace.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,9 @@ If the cluster namespace is different from the operator namespace, we want to na
{{- define "library.suffix-cluster-namespace" -}}
{{/* the operator chart won't set .Values.operatorNamespace, so default to .Release.Namespace */}}
{{- $operatorNamespace := .Values.operatorNamespace | default .Release.Namespace -}}
{{- $operatorWatchesCurrentNamespaceOnly := .Values.currentNamespaceOnly | default false -}}
{{- $clusterNamespace := .Release.Namespace -}}
{{- if ne $clusterNamespace $operatorNamespace -}}
{{- if or (ne $clusterNamespace $operatorNamespace) $operatorWatchesCurrentNamespaceOnly -}}
{{ printf "-%s" $clusterNamespace }}
{{- end }}
{{- end }}
26 changes: 13 additions & 13 deletions deploy/charts/rook-ceph/templates/clusterrole.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rook-ceph-system
name: rook-ceph-system{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }}
labels:
operator: rook
storage-backend: ceph
Expand All @@ -26,7 +26,7 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: rook-ceph-cluster-mgmt
name: rook-ceph-cluster-mgmt{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }}
labels:
operator: rook
storage-backend: ceph
Expand Down Expand Up @@ -59,7 +59,7 @@ apiVersion: rbac.authorization.k8s.io/v1
# operator config `ROOK_CURRENT_NAMESPACE_ONLY=true`.
kind: ClusterRole
metadata:
name: rook-ceph-global
name: rook-ceph-global{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }}
labels:
operator: rook
storage-backend: ceph
Expand Down Expand Up @@ -258,7 +258,7 @@ rules:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rook-ceph-mgr-cluster
name: rook-ceph-mgr-cluster{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }}
labels:
operator: rook
storage-backend: ceph
Expand Down Expand Up @@ -298,7 +298,7 @@ rules:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rook-ceph-mgr-system
name: rook-ceph-mgr-system{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }}
rules:
- apiGroups:
- ""
Expand All @@ -315,7 +315,7 @@ rules:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rook-ceph-object-bucket
name: rook-ceph-object-bucket{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }}
labels:
operator: rook
storage-backend: ceph
Expand Down Expand Up @@ -375,7 +375,7 @@ rules:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rook-ceph-osd
name: rook-ceph-osd{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }}
rules:
- apiGroups:
- ""
Expand All @@ -390,7 +390,7 @@ rules:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cephfs-csi-nodeplugin
name: cephfs-csi-nodeplugin{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }}
rules:
- apiGroups: [""]
resources: ["nodes"]
Expand All @@ -400,7 +400,7 @@ rules:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ceph-nfs-external-provisioner-runner
name: ceph-nfs-external-provisioner-runner{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }}
rules:
- apiGroups: [""]
resources: ["persistentvolumes"]
Expand Down Expand Up @@ -453,7 +453,7 @@ rules:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ceph-nfs-csi-nodeplugin
name: ceph-nfs-csi-nodeplugin{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }}
labels:
operator: rook
storage-backend: ceph
Expand All @@ -467,7 +467,7 @@ rules:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cephfs-external-provisioner-runner
name: cephfs-external-provisioner-runner{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }}
rules:
- apiGroups: [""]
resources: ["secrets"]
Expand Down Expand Up @@ -512,7 +512,7 @@ rules:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rbd-csi-nodeplugin
name: rbd-csi-nodeplugin{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }}
labels:
operator: rook
storage-backend: ceph
Expand Down Expand Up @@ -543,7 +543,7 @@ rules:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rbd-external-provisioner-runner
name: rbd-external-provisioner-runner{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }}
rules:
- apiGroups: [""]
resources: ["secrets"]
Expand Down
32 changes: 16 additions & 16 deletions deploy/charts/rook-ceph/templates/clusterrolebinding.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,15 +2,15 @@
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rook-ceph-system
name: rook-ceph-system{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }}
labels:
operator: rook
storage-backend: ceph
{{- include "library.rook-ceph.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: rook-ceph-system
name: rook-ceph-system{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }}
subjects:
- kind: ServiceAccount
name: rook-ceph-system
Expand All @@ -20,15 +20,15 @@ subjects:
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rook-ceph-global
name: rook-ceph-global{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }}
labels:
operator: rook
storage-backend: ceph
{{- include "library.rook-ceph.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: rook-ceph-global
name: rook-ceph-global{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }}
subjects:
- kind: ServiceAccount
name: rook-ceph-system
Expand All @@ -38,11 +38,11 @@ kind: ClusterRoleBinding
# Give Rook-Ceph Operator permissions to provision ObjectBuckets in response to ObjectBucketClaims.
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rook-ceph-object-bucket
name: rook-ceph-object-bucket{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: rook-ceph-object-bucket
name: rook-ceph-object-bucket{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }}
subjects:
- kind: ServiceAccount
name: rook-ceph-system
Expand All @@ -51,27 +51,27 @@ subjects:
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rbd-csi-nodeplugin
name: rbd-csi-nodeplugin{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }}
subjects:
- kind: ServiceAccount
name: rook-csi-rbd-plugin-sa
namespace: {{ .Release.Namespace }} # namespace:operator
roleRef:
kind: ClusterRole
name: rbd-csi-nodeplugin
name: rbd-csi-nodeplugin{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }}
apiGroup: rbac.authorization.k8s.io
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cephfs-csi-provisioner-role
name: cephfs-csi-provisioner-role{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }}
subjects:
- kind: ServiceAccount
name: rook-csi-cephfs-provisioner-sa
namespace: {{ .Release.Namespace }} # namespace:operator
roleRef:
kind: ClusterRole
name: cephfs-external-provisioner-runner
name: cephfs-external-provisioner-runner{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }}
apiGroup: rbac.authorization.k8s.io
---
# This is required by operator-sdk to map the cluster/clusterrolebindings with SA
Expand All @@ -93,42 +93,42 @@ roleRef:
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ceph-nfs-csi-provisioner-role
name: ceph-nfs-csi-provisioner-role{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }}
subjects:
- kind: ServiceAccount
name: rook-csi-nfs-provisioner-sa
namespace: {{ .Release.Namespace }} # namespace:operator
roleRef:
kind: ClusterRole
name: ceph-nfs-external-provisioner-runner
name: ceph-nfs-external-provisioner-runner{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }}
apiGroup: rbac.authorization.k8s.io
---
# TODO: remove this, once https://github.com/rook/rook/issues/10141
# is resolved.
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ceph-nfs-csi-nodeplugin-role
name: ceph-nfs-csi-nodeplugin-role{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }}
subjects:
- kind: ServiceAccount
name: rook-csi-nfs-plugin-sa
namespace: {{ .Release.Namespace }} # namespace:operator
roleRef:
kind: ClusterRole
name: ceph-nfs-csi-nodeplugin
name: ceph-nfs-csi-nodeplugin{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }}
apiGroup: rbac.authorization.k8s.io
---
{{ end }}
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rbd-csi-provisioner-role
name: rbd-csi-provisioner-role{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }}
subjects:
- kind: ServiceAccount
name: rook-csi-rbd-provisioner-sa
namespace: {{ .Release.Namespace }} # namespace:operator
roleRef:
kind: ClusterRole
name: rbd-external-provisioner-runner
name: rbd-external-provisioner-runner{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }}
apiGroup: rbac.authorization.k8s.io
{{- end }}

0 comments on commit 58c9b59

Please sign in to comment.