From 58c9b596badf2a0e473fab8b0e6f41562852a96e Mon Sep 17 00:00:00 2001 From: Peter Goron Date: Sat, 26 Aug 2023 16:37:20 +0200 Subject: [PATCH] avoid naming conflicts on rbac when deploying one operator per namespace [Candidate for upstream] When deploying multiple ceph clusters on single kubernetes cluster (for multi-tenancy for example), we can opt for deploying one operator per namespace thanks to currentNamespaceOnly helm variable. Unfortunately we are facing conflicts on ClusterRole/ClusterRoleBinding when deploying rook-ceph helm chart in distinct namespaces. This commit adds namespace suffix to ClusterRole/ClusterRoleBinding when deploying operator with currentNamespaceOnly=true --- .../templates/_cluster-rolebinding.tpl | 9 ++++++ .../templates/_suffix-cluster-namespace.tpl | 3 +- .../rook-ceph/templates/clusterrole.yaml | 26 +++++++-------- .../templates/clusterrolebinding.yaml | 32 +++++++++---------- 4 files changed, 40 insertions(+), 30 deletions(-) diff --git a/deploy/charts/library/templates/_cluster-rolebinding.tpl b/deploy/charts/library/templates/_cluster-rolebinding.tpl index dc5e05f29daf..b59a17e06de8 100644 --- a/deploy/charts/library/templates/_cluster-rolebinding.tpl +++ b/deploy/charts/library/templates/_cluster-rolebinding.tpl @@ -66,12 +66,21 @@ subjects: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: + {{- $operatorWatchesCurrentNamespaceOnly := .Values.currentNamespaceOnly | default false -}} + {{- if $operatorWatchesCurrentNamespaceOnly }} + name: rook-ceph-mgr-system + {{- else }} name: rook-ceph-mgr-system{{ template "library.suffix-cluster-namespace" . }} + {{- end }} namespace: {{ .Values.operatorNamespace | default .Release.Namespace }} # namespace:operator roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole + {{- if $operatorWatchesCurrentNamespaceOnly }} + name: rook-ceph-mgr-system{{ template "library.suffix-cluster-namespace" . }} + {{- else }} name: rook-ceph-mgr-system + {{- end }} subjects: - kind: ServiceAccount name: rook-ceph-mgr diff --git a/deploy/charts/library/templates/_suffix-cluster-namespace.tpl b/deploy/charts/library/templates/_suffix-cluster-namespace.tpl index fdf679340d21..0f0e5e08dcd8 100644 --- a/deploy/charts/library/templates/_suffix-cluster-namespace.tpl +++ b/deploy/charts/library/templates/_suffix-cluster-namespace.tpl @@ -11,8 +11,9 @@ If the cluster namespace is different from the operator namespace, we want to na {{- define "library.suffix-cluster-namespace" -}} {{/* the operator chart won't set .Values.operatorNamespace, so default to .Release.Namespace */}} {{- $operatorNamespace := .Values.operatorNamespace | default .Release.Namespace -}} +{{- $operatorWatchesCurrentNamespaceOnly := .Values.currentNamespaceOnly | default false -}} {{- $clusterNamespace := .Release.Namespace -}} -{{- if ne $clusterNamespace $operatorNamespace -}} +{{- if or (ne $clusterNamespace $operatorNamespace) $operatorWatchesCurrentNamespaceOnly -}} {{ printf "-%s" $clusterNamespace }} {{- end }} {{- end }} diff --git a/deploy/charts/rook-ceph/templates/clusterrole.yaml b/deploy/charts/rook-ceph/templates/clusterrole.yaml index 83079898351f..f6d5aba406b4 100644 --- a/deploy/charts/rook-ceph/templates/clusterrole.yaml +++ b/deploy/charts/rook-ceph/templates/clusterrole.yaml @@ -2,7 +2,7 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: rook-ceph-system + name: rook-ceph-system{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} labels: operator: rook storage-backend: ceph @@ -26,7 +26,7 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: rook-ceph-cluster-mgmt + name: rook-ceph-cluster-mgmt{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} labels: operator: rook storage-backend: ceph @@ -59,7 +59,7 @@ apiVersion: rbac.authorization.k8s.io/v1 # operator config `ROOK_CURRENT_NAMESPACE_ONLY=true`. kind: ClusterRole metadata: - name: rook-ceph-global + name: rook-ceph-global{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} labels: operator: rook storage-backend: ceph @@ -258,7 +258,7 @@ rules: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: rook-ceph-mgr-cluster + name: rook-ceph-mgr-cluster{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} labels: operator: rook storage-backend: ceph @@ -298,7 +298,7 @@ rules: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: rook-ceph-mgr-system + name: rook-ceph-mgr-system{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} rules: - apiGroups: - "" @@ -315,7 +315,7 @@ rules: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: rook-ceph-object-bucket + name: rook-ceph-object-bucket{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} labels: operator: rook storage-backend: ceph @@ -375,7 +375,7 @@ rules: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: rook-ceph-osd + name: rook-ceph-osd{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} rules: - apiGroups: - "" @@ -390,7 +390,7 @@ rules: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: cephfs-csi-nodeplugin + name: cephfs-csi-nodeplugin{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} rules: - apiGroups: [""] resources: ["nodes"] @@ -400,7 +400,7 @@ rules: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: ceph-nfs-external-provisioner-runner + name: ceph-nfs-external-provisioner-runner{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} rules: - apiGroups: [""] resources: ["persistentvolumes"] @@ -453,7 +453,7 @@ rules: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: ceph-nfs-csi-nodeplugin + name: ceph-nfs-csi-nodeplugin{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} labels: operator: rook storage-backend: ceph @@ -467,7 +467,7 @@ rules: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: cephfs-external-provisioner-runner + name: cephfs-external-provisioner-runner{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} rules: - apiGroups: [""] resources: ["secrets"] @@ -512,7 +512,7 @@ rules: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: rbd-csi-nodeplugin + name: rbd-csi-nodeplugin{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} labels: operator: rook storage-backend: ceph @@ -543,7 +543,7 @@ rules: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: rbd-external-provisioner-runner + name: rbd-external-provisioner-runner{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} rules: - apiGroups: [""] resources: ["secrets"] diff --git a/deploy/charts/rook-ceph/templates/clusterrolebinding.yaml b/deploy/charts/rook-ceph/templates/clusterrolebinding.yaml index 6ece08331079..4922f7d17ee7 100644 --- a/deploy/charts/rook-ceph/templates/clusterrolebinding.yaml +++ b/deploy/charts/rook-ceph/templates/clusterrolebinding.yaml @@ -2,7 +2,7 @@ kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: rook-ceph-system + name: rook-ceph-system{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} labels: operator: rook storage-backend: ceph @@ -10,7 +10,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: rook-ceph-system + name: rook-ceph-system{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} subjects: - kind: ServiceAccount name: rook-ceph-system @@ -20,7 +20,7 @@ subjects: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: rook-ceph-global + name: rook-ceph-global{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} labels: operator: rook storage-backend: ceph @@ -28,7 +28,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: rook-ceph-global + name: rook-ceph-global{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} subjects: - kind: ServiceAccount name: rook-ceph-system @@ -38,11 +38,11 @@ kind: ClusterRoleBinding # Give Rook-Ceph Operator permissions to provision ObjectBuckets in response to ObjectBucketClaims. apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: rook-ceph-object-bucket + name: rook-ceph-object-bucket{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: rook-ceph-object-bucket + name: rook-ceph-object-bucket{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} subjects: - kind: ServiceAccount name: rook-ceph-system @@ -51,27 +51,27 @@ subjects: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: rbd-csi-nodeplugin + name: rbd-csi-nodeplugin{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} subjects: - kind: ServiceAccount name: rook-csi-rbd-plugin-sa namespace: {{ .Release.Namespace }} # namespace:operator roleRef: kind: ClusterRole - name: rbd-csi-nodeplugin + name: rbd-csi-nodeplugin{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} apiGroup: rbac.authorization.k8s.io --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: cephfs-csi-provisioner-role + name: cephfs-csi-provisioner-role{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} subjects: - kind: ServiceAccount name: rook-csi-cephfs-provisioner-sa namespace: {{ .Release.Namespace }} # namespace:operator roleRef: kind: ClusterRole - name: cephfs-external-provisioner-runner + name: cephfs-external-provisioner-runner{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} apiGroup: rbac.authorization.k8s.io --- # This is required by operator-sdk to map the cluster/clusterrolebindings with SA @@ -93,14 +93,14 @@ roleRef: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: ceph-nfs-csi-provisioner-role + name: ceph-nfs-csi-provisioner-role{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} subjects: - kind: ServiceAccount name: rook-csi-nfs-provisioner-sa namespace: {{ .Release.Namespace }} # namespace:operator roleRef: kind: ClusterRole - name: ceph-nfs-external-provisioner-runner + name: ceph-nfs-external-provisioner-runner{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} apiGroup: rbac.authorization.k8s.io --- # TODO: remove this, once https://github.com/rook/rook/issues/10141 @@ -108,27 +108,27 @@ roleRef: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: ceph-nfs-csi-nodeplugin-role + name: ceph-nfs-csi-nodeplugin-role{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} subjects: - kind: ServiceAccount name: rook-csi-nfs-plugin-sa namespace: {{ .Release.Namespace }} # namespace:operator roleRef: kind: ClusterRole - name: ceph-nfs-csi-nodeplugin + name: ceph-nfs-csi-nodeplugin{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} apiGroup: rbac.authorization.k8s.io --- {{ end }} kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: rbd-csi-provisioner-role + name: rbd-csi-provisioner-role{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} subjects: - kind: ServiceAccount name: rook-csi-rbd-provisioner-sa namespace: {{ .Release.Namespace }} # namespace:operator roleRef: kind: ClusterRole - name: rbd-external-provisioner-runner + name: rbd-external-provisioner-runner{{ if .Values.currentNamespaceOnly }}-{{ .Release.Namespace }}{{ end }} apiGroup: rbac.authorization.k8s.io {{- end }}